Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Backdoor Program.AP'


  • This topic is locked This topic is locked
37 replies to this topic

#1 katiecalf

katiecalf

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 10 September 2005 - 03:53 PM

The Backdoor Program.AP Virus was found in file C:\Documents and Settings\Munchkin\Local Settings\Temp\1B.tmp

I could not access Activescan it was hijacked to another website but I did use Trendware Housecall but it would not allow me to clean kept asking for a ticket but when I would click on ticket it went nowhere
these are what Housecall came up with and the number of infections
TROJ_Agent.AG 2
TROJ_StartPage.RE 1
TROJ_Agent.xo 32



Logfile of HijackThis v1.99.1
Scan saved at 3:36:05 PM, on 9/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Gilat\IBQoS\ibqossvc.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\Program Files\Gilat\NetAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
C:\WINDOWS\system32\d3oe.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Munchkin\Desktop\NEW downloads\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.yahoo.com/{sub_rfc1766}/s...st/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {9CAD02CC-BB43-75C0-802F-FB2C2F6800B4} - C:\WINDOWS\crsd32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
O4 - HKLM\..\Run: [d3oe.exe] C:\WINDOWS\system32\d3oe.exe
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O4 - HKLM\..\RunOnce: [winfp32.exe] C:\WINDOWS\system32\winfp32.exe
O4 - HKLM\..\RunOnce: [crkr.exe] C:\WINDOWS\system32\crkr.exe
O4 - HKLM\..\RunOnce: [ntbu32.exe] C:\WINDOWS\ntbu32.exe
O4 - HKLM\..\RunOnce: [netti32.exe] C:\WINDOWS\netti32.exe
O4 - HKLM\..\RunOnce: [d3en.exe] C:\WINDOWS\system32\d3en.exe
O4 - HKLM\..\RunOnce: [sysum.exe] C:\WINDOWS\sysum.exe
O4 - HKLM\..\RunOnce: [javazg.exe] C:\WINDOWS\javazg.exe
O4 - HKLM\..\RunOnce: [apiip32.exe] C:\WINDOWS\apiip32.exe
O4 - HKLM\..\RunOnce: [netuq.exe] C:\WINDOWS\system32\netuq.exe
O4 - HKLM\..\RunOnce: [addzl32.exe] C:\WINDOWS\addzl32.exe
O4 - HKLM\..\RunOnce: [msdu.exe] C:\WINDOWS\system32\msdu.exe
O4 - HKLM\..\RunOnce: [ntjx32.exe] C:\WINDOWS\system32\ntjx32.exe
O4 - HKLM\..\RunOnce: [apphg32.exe] C:\WINDOWS\system32\apphg32.exe
O4 - HKLM\..\RunOnce: [atlhx32.exe] C:\WINDOWS\system32\atlhx32.exe
O4 - HKLM\..\RunOnce: [d3tk32.exe] C:\WINDOWS\system32\d3tk32.exe
O4 - HKLM\..\RunOnce: [atlob32.exe] C:\WINDOWS\system32\atlob32.exe
O4 - HKLM\..\RunOnce: [msbv.exe] C:\WINDOWS\system32\msbv.exe
O4 - HKLM\..\RunOnce: [atlao.exe] C:\WINDOWS\atlao.exe
O4 - HKLM\..\RunOnce: [javaju32.exe] C:\WINDOWS\javaju32.exe
O4 - HKLM\..\RunOnce: [sdkcd.exe] C:\WINDOWS\sdkcd.exe
O4 - HKLM\..\RunOnce: [syscb32.exe] C:\WINDOWS\syscb32.exe
O4 - HKLM\..\RunOnce: [sdkhv32.exe] C:\WINDOWS\sdkhv32.exe
O4 - HKLM\..\RunOnce: [atlxb32.exe] C:\WINDOWS\atlxb32.exe
O4 - HKLM\..\RunOnce: [appna32.exe] C:\WINDOWS\system32\appna32.exe
O4 - HKLM\..\RunOnce: [atloe.exe] C:\WINDOWS\atloe.exe
O4 - HKLM\..\RunOnce: [crvi.exe] C:\WINDOWS\crvi.exe
O4 - HKLM\..\RunOnce: [winfw32.exe] C:\WINDOWS\system32\winfw32.exe
O4 - HKLM\..\RunOnce: [appfk.exe] C:\WINDOWS\appfk.exe
O4 - HKLM\..\RunOnce: [addlb.exe] C:\WINDOWS\addlb.exe
O4 - HKLM\..\RunOnce: [crrd.exe] C:\WINDOWS\crrd.exe
O4 - HKLM\..\RunOnce: [msjk32.exe] C:\WINDOWS\msjk32.exe
O4 - HKLM\..\RunOnce: [atlqh.exe] C:\WINDOWS\system32\atlqh.exe
O4 - HKLM\..\RunOnce: [iexl.exe] C:\WINDOWS\iexl.exe
O4 - HKLM\..\RunOnce: [mszt.exe] C:\WINDOWS\mszt.exe
O4 - HKLM\..\RunOnce: [mfcht.exe] C:\WINDOWS\system32\mfcht.exe
O4 - HKLM\..\RunOnce: [addtb.exe] C:\WINDOWS\addtb.exe
O4 - HKLM\..\RunOnce: [ntxj32.exe] C:\WINDOWS\ntxj32.exe
O4 - HKLM\..\RunOnce: [msif.exe] C:\WINDOWS\system32\msif.exe
O4 - HKLM\..\RunOnce: [crgg32.exe] C:\WINDOWS\system32\crgg32.exe
O4 - HKLM\..\RunOnce: [netua.exe] C:\WINDOWS\system32\netua.exe
O4 - HKLM\..\RunOnce: [d3pk.exe] C:\WINDOWS\d3pk.exe
O4 - HKLM\..\RunOnce: [ipcm32.exe] C:\WINDOWS\system32\ipcm32.exe
O4 - HKLM\..\RunOnce: [appnd.exe] C:\WINDOWS\appnd.exe
O4 - HKLM\..\RunOnce: [d3tx32.exe] C:\WINDOWS\d3tx32.exe
O4 - HKLM\..\RunOnce: [atlwi32.exe] C:\WINDOWS\system32\atlwi32.exe
O4 - HKLM\..\RunOnce: [msbl32.exe] C:\WINDOWS\msbl32.exe
O4 - HKLM\..\RunOnce: [syspn.exe] C:\WINDOWS\syspn.exe
O4 - HKLM\..\RunOnce: [javaup32.exe] C:\WINDOWS\javaup32.exe
O4 - HKLM\..\RunOnce: [iecb32.exe] C:\WINDOWS\iecb32.exe
O4 - HKLM\..\RunOnce: [atlmx.exe] C:\WINDOWS\system32\atlmx.exe
O4 - HKLM\..\RunOnce: [appky32.exe] C:\WINDOWS\system32\appky32.exe
O4 - HKLM\..\RunOnce: [atltc.exe] C:\WINDOWS\system32\atltc.exe
O4 - HKLM\..\RunOnce: [mshe32.exe] C:\WINDOWS\system32\mshe32.exe
O4 - HKLM\..\RunOnce: [addxl.exe] C:\WINDOWS\system32\addxl.exe
O4 - HKLM\..\RunOnce: [crcf.exe] C:\WINDOWS\crcf.exe
O4 - HKLM\..\RunOnce: [iepi.exe] C:\WINDOWS\system32\iepi.exe
O4 - HKLM\..\RunOnce: [sdkvk32.exe] C:\WINDOWS\sdkvk32.exe
O4 - HKLM\..\RunOnce: [mfciu32.exe] C:\WINDOWS\mfciu32.exe
O4 - HKLM\..\RunOnce: [sysno.exe] C:\WINDOWS\sysno.exe
O4 - HKLM\..\RunOnce: [sdkhn32.exe] C:\WINDOWS\sdkhn32.exe
O4 - HKLM\..\RunOnce: [atlmh32.exe] C:\WINDOWS\atlmh32.exe
O4 - HKLM\..\RunOnce: [msak.exe] C:\WINDOWS\system32\msak.exe
O4 - HKLM\..\RunOnce: [ipge.exe] C:\WINDOWS\ipge.exe
O4 - HKLM\..\RunOnce: [d3ez32.exe] C:\WINDOWS\d3ez32.exe
O4 - HKLM\..\RunOnce: [netkt.exe] C:\WINDOWS\netkt.exe
O4 - HKLM\..\RunOnce: [winjb32.exe] C:\WINDOWS\winjb32.exe
O4 - HKLM\..\RunOnce: [crov.exe] C:\WINDOWS\system32\crov.exe
O4 - HKLM\..\RunOnce: [ipnj.exe] C:\WINDOWS\ipnj.exe
O4 - HKLM\..\RunOnce: [addsd32.exe] C:\WINDOWS\addsd32.exe
O4 - HKLM\..\RunOnce: [apith.exe] C:\WINDOWS\apith.exe
O4 - HKLM\..\RunOnce: [ieac.exe] C:\WINDOWS\system32\ieac.exe
O4 - HKLM\..\RunOnce: [javabg.exe] C:\WINDOWS\javabg.exe
O4 - HKLM\..\RunOnce: [apigb32.exe] C:\WINDOWS\apigb32.exe
O4 - HKLM\..\RunOnce: [netpm.exe] C:\WINDOWS\netpm.exe
O4 - HKLM\..\RunOnce: [d3nf.exe] C:\WINDOWS\system32\d3nf.exe
O4 - HKLM\..\RunOnce: [crrv.exe] C:\WINDOWS\system32\crrv.exe
O4 - HKLM\..\RunOnce: [syswx.exe] C:\WINDOWS\syswx.exe
O4 - HKLM\..\RunOnce: [javabr.exe] C:\WINDOWS\javabr.exe
O4 - HKLM\..\RunOnce: [winzm.exe] C:\WINDOWS\system32\winzm.exe
O4 - HKLM\..\RunOnce: [ipmf.exe] C:\WINDOWS\ipmf.exe
O4 - HKLM\..\RunOnce: [apprz32.exe] C:\WINDOWS\system32\apprz32.exe
O4 - HKLM\..\RunOnce: [apifz32.exe] C:\WINDOWS\apifz32.exe
O4 - HKLM\..\RunOnce: [syske32.exe] C:\WINDOWS\system32\syske32.exe
O4 - HKLM\..\RunOnce: [javapy.exe] C:\WINDOWS\system32\javapy.exe
O4 - HKLM\..\RunOnce: [systq32.exe] C:\WINDOWS\system32\systq32.exe
O4 - HKLM\..\RunOnce: [javahk.exe] C:\WINDOWS\javahk.exe
O4 - HKLM\..\RunOnce: [crhy.exe] C:\WINDOWS\system32\crhy.exe
O4 - HKLM\..\RunOnce: [apius32.exe] C:\WINDOWS\apius32.exe
O4 - HKLM\..\RunOnce: [d3zf32.exe] C:\WINDOWS\system32\d3zf32.exe
O4 - HKLM\..\RunOnce: [netsw.exe] C:\WINDOWS\system32\netsw.exe
O4 - HKLM\..\RunOnce: [winyr.exe] C:\WINDOWS\system32\winyr.exe
O4 - HKLM\..\RunOnce: [winvl32.exe] C:\WINDOWS\system32\winvl32.exe
O4 - HKLM\..\RunOnce: [crvf.exe] C:\WINDOWS\crvf.exe
O4 - HKLM\..\RunOnce: [addtq.exe] C:\WINDOWS\addtq.exe
O4 - HKLM\..\RunOnce: [sdkcu.exe] C:\WINDOWS\sdkcu.exe
O4 - HKLM\..\RunOnce: [mfchw32.exe] C:\WINDOWS\system32\mfchw32.exe
O4 - HKLM\..\RunOnce: [javald.exe] C:\WINDOWS\javald.exe
O4 - HKLM\..\RunOnce: [sdkud32.exe] C:\WINDOWS\system32\sdkud32.exe
O4 - HKLM\..\RunOnce: [mfczg.exe] C:\WINDOWS\mfczg.exe
O4 - HKLM\..\RunOnce: [javask32.exe] C:\WINDOWS\javask32.exe
O4 - HKLM\..\RunOnce: [mfcxe.exe] C:\WINDOWS\system32\mfcxe.exe
O4 - HKLM\..\RunOnce: [atlvf32.exe] C:\WINDOWS\system32\atlvf32.exe
O4 - HKLM\..\RunOnce: [sdkzp32.exe] C:\WINDOWS\sdkzp32.exe
O4 - HKLM\..\RunOnce: [sdkcc.exe] C:\WINDOWS\sdkcc.exe
O4 - HKLM\..\RunOnce: [addmi32.exe] C:\WINDOWS\system32\addmi32.exe
O4 - HKLM\..\RunOnce: [crrc32.exe] C:\WINDOWS\crrc32.exe
O4 - HKLM\..\RunOnce: [sysnq.exe] C:\WINDOWS\system32\sysnq.exe
O4 - HKLM\..\RunOnce: [atlzv32.exe] C:\WINDOWS\system32\atlzv32.exe
O4 - HKLM\..\RunOnce: [winok32.exe] C:\WINDOWS\system32\winok32.exe
O4 - HKLM\..\RunOnce: [atlcm.exe] C:\WINDOWS\system32\atlcm.exe
O4 - HKLM\..\RunOnce: [ntmi.exe] C:\WINDOWS\ntmi.exe
O4 - HKLM\..\RunOnce: [javaeq.exe] C:\WINDOWS\system32\javaeq.exe
O4 - HKLM\..\RunOnce: [d3uc32.exe] C:\WINDOWS\d3uc32.exe
O4 - HKLM\..\RunOnce: [d3xr32.exe] C:\WINDOWS\d3xr32.exe
O4 - HKLM\..\RunOnce: [addin32.exe] C:\WINDOWS\system32\addin32.exe
O4 - HKLM\..\RunOnce: [d3re32.exe] C:\WINDOWS\system32\d3re32.exe
O4 - HKLM\..\RunOnce: [wincd.exe] C:\WINDOWS\system32\wincd.exe
O4 - HKLM\..\RunOnce: [javapf.exe] C:\WINDOWS\system32\javapf.exe
O4 - HKLM\..\RunOnce: [apiwl.exe] C:\WINDOWS\apiwl.exe
O4 - HKLM\..\RunOnce: [winbf32.exe] C:\WINDOWS\system32\winbf32.exe
O4 - HKLM\..\RunOnce: [apipr32.exe] C:\WINDOWS\system32\apipr32.exe
O4 - HKLM\..\RunOnce: [netwr32.exe] C:\WINDOWS\netwr32.exe
O4 - HKLM\..\RunOnce: [addkt32.exe] C:\WINDOWS\system32\addkt32.exe
O4 - HKLM\..\RunOnce: [msdq32.exe] C:\WINDOWS\system32\msdq32.exe
O4 - HKLM\..\RunOnce: [netvf.exe] C:\WINDOWS\netvf.exe
O4 - HKLM\..\RunOnce: [crym32.exe] C:\WINDOWS\system32\crym32.exe
O4 - HKLM\..\RunOnce: [mskl32.exe] C:\WINDOWS\system32\mskl32.exe
O4 - HKLM\..\RunOnce: [sdktx32.exe] C:\WINDOWS\system32\sdktx32.exe
O4 - HKLM\..\RunOnce: [sdkgr.exe] C:\WINDOWS\system32\sdkgr.exe
O4 - HKLM\..\RunOnce: [crjj.exe] C:\WINDOWS\crjj.exe
O4 - HKLM\..\RunOnce: [netsy.exe] C:\WINDOWS\netsy.exe
O4 - HKLM\..\RunOnce: [winpx32.exe] C:\WINDOWS\system32\winpx32.exe
O4 - HKLM\..\RunOnce: [javavr.exe] C:\WINDOWS\system32\javavr.exe
O4 - HKLM\..\RunOnce: [mfcbb.exe] C:\WINDOWS\system32\mfcbb.exe
O4 - HKLM\..\RunOnce: [iehv32.exe] C:\WINDOWS\iehv32.exe
O4 - HKLM\..\RunOnce: [appau32.exe] C:\WINDOWS\system32\appau32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D998DE2-4493-46B3-BB6D-9B8C6CEA399C}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D0E3684-65E3-4E49-99A0-1B1F2AEC82D1}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{550C0DC7-C0A1-41DD-A074-45C4E24F14C8}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{9051DFE4-2CEE-4D20-8422-64D317D48450}: NameServer = 69.50.176.198,195.225.176.153
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winfp32.exe" /s (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Gilat Quality Measurement Service (Gilat QMS) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service (GilatHSU) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service (GilatNetAgent) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Gilat IBQoS Agent (ibqossvc) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: WgwService - Unknown owner - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe

BC AdBot (Login to Remove)

 


m

#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:28 AM

Posted 10 September 2005 - 03:59 PM

Hi Katie and Welcome back :thumbsup:

I got your message. I have to look at it tomorrowmorning, but I will get back to you.


Posted Image
Life is what happens while you're making other plans

#3 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:28 AM

Posted 11 September 2005 - 09:18 AM

Sorry, bit later than expected.

Please read through the instructions before you start (you may want to print this out or copy it into a word program).

Please download and install these programs - don't run them yet!!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. Exit Ewido. DO NOT scan yet.
Tutorial if needed

***

Download about:buster by RubbeRDuckY.
Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
***

Download and unzip HSfix to your desktop.

The above Registry file was written specifically for this infection and is not to be used on any other infection as it could damage a person's PC

***

Download CW-Shredder at the link below:
http://www.trendmicro.com/ftp/products/onl.../cwshredder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and uncheck "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\addlb.exe
C:\WINDOWS\addsd32.exe
C:\WINDOWS\addtb.exe
C:\WINDOWS\addtq.exe
C:\WINDOWS\addzl32.exe
C:\WINDOWS\apifz32.exe
C:\WINDOWS\apigb32.exe
C:\WINDOWS\apiip32.exe
C:\WINDOWS\apith.exe
C:\WINDOWS\apius32.exe
C:\WINDOWS\apiwl.exe
C:\WINDOWS\appfk.exe
C:\WINDOWS\appnd.exe
C:\WINDOWS\atlao.exe
C:\WINDOWS\atlmh32.exe
C:\WINDOWS\atloe.exe
C:\WINDOWS\atlxb32.exe
C:\WINDOWS\crcf.exe
C:\WINDOWS\crjj.exe
C:\WINDOWS\crrc32.exe
C:\WINDOWS\crrd.exe
C:\WINDOWS\crvf.exe
C:\WINDOWS\crvi.exe
C:\WINDOWS\d3ez32.exe
C:\WINDOWS\d3pk.exe
C:\WINDOWS\d3tx32.exe
C:\WINDOWS\d3uc32.exe
C:\WINDOWS\d3xr32.exe
C:\WINDOWS\iecb32.exe
C:\WINDOWS\iehv32.exe
C:\WINDOWS\iexl.exe
C:\WINDOWS\ipge.exe
C:\WINDOWS\ipmf.exe
C:\WINDOWS\ipnj.exe
C:\WINDOWS\javabg.exe
C:\WINDOWS\javabr.exe
C:\WINDOWS\javahk.exe
C:\WINDOWS\javaju32.exe
C:\WINDOWS\javald.exe
C:\WINDOWS\javask32.exe
C:\WINDOWS\javaup32.exe
C:\WINDOWS\javazg.exe
C:\WINDOWS\mfciu32.exe
C:\WINDOWS\mfczg.exe
C:\WINDOWS\msbl32.exe
C:\WINDOWS\msjk32.exe
C:\WINDOWS\mszt.exe
C:\WINDOWS\netkt.exe
C:\WINDOWS\netpm.exe
C:\WINDOWS\netsy.exe
C:\WINDOWS\netti32.exe
C:\WINDOWS\netvf.exe
C:\WINDOWS\netwr32.exe
C:\WINDOWS\ntbu32.exe
C:\WINDOWS\ntmi.exe
C:\WINDOWS\ntxj32.exe
C:\WINDOWS\sdkcc.exe
C:\WINDOWS\sdkcd.exe
C:\WINDOWS\sdkcu.exe
C:\WINDOWS\sdkhn32.exe
C:\WINDOWS\sdkhv32.exe
C:\WINDOWS\sdkvk32.exe
C:\WINDOWS\sdkzp32.exe
C:\WINDOWS\syscb32.exe
C:\WINDOWS\sysno.exe
C:\WINDOWS\syspn.exe
C:\WINDOWS\system32\addin32.exe
C:\WINDOWS\system32\addkt32.exe
C:\WINDOWS\system32\addmi32.exe
C:\WINDOWS\system32\addxl.exe
C:\WINDOWS\system32\apipr32.exe
C:\WINDOWS\system32\appau32.exe
C:\WINDOWS\system32\apphg32.exe
C:\WINDOWS\system32\appky32.exe
C:\WINDOWS\system32\appna32.exe
C:\WINDOWS\system32\apprz32.exe
C:\WINDOWS\system32\atlcm.exe
C:\WINDOWS\system32\atlhx32.exe
C:\WINDOWS\system32\atlmx.exe
C:\WINDOWS\system32\atlob32.exe
C:\WINDOWS\system32\atlqh.exe
C:\WINDOWS\system32\atltc.exe
C:\WINDOWS\system32\atlvf32.exe
C:\WINDOWS\system32\atlwi32.exe
C:\WINDOWS\system32\atlzv32.exe
C:\WINDOWS\system32\crgg32.exe
C:\WINDOWS\system32\crhy.exe
C:\WINDOWS\system32\crkr.exe
C:\WINDOWS\system32\crov.exe
C:\WINDOWS\system32\crrv.exe
C:\WINDOWS\system32\crym32.exe
C:\WINDOWS\system32\d3en.exe
C:\WINDOWS\system32\d3nf.exe
C:\WINDOWS\system32\d3oe.exe
C:\WINDOWS\system32\d3re32.exe
C:\WINDOWS\system32\d3tk32.exe
C:\WINDOWS\system32\d3zf32.exe
C:\WINDOWS\system32\ieac.exe
C:\WINDOWS\system32\iepi.exe
C:\WINDOWS\system32\ipcm32.exe
C:\WINDOWS\system32\javaeq.exe
C:\WINDOWS\system32\javapf.exe
C:\WINDOWS\system32\javapy.exe
C:\WINDOWS\system32\javavr.exe
C:\WINDOWS\system32\mfcbb.exe
C:\WINDOWS\system32\mfcht.exe
C:\WINDOWS\system32\mfchw32.exe
C:\WINDOWS\system32\mfcxe.exe
C:\WINDOWS\system32\msak.exe
C:\WINDOWS\system32\msbv.exe
C:\WINDOWS\system32\msdq32.exe
C:\WINDOWS\system32\msdu.exe
C:\WINDOWS\system32\mshe32.exe
C:\WINDOWS\system32\msif.exe
C:\WINDOWS\system32\mskl32.exe
C:\WINDOWS\system32\netsw.exe
C:\WINDOWS\system32\netua.exe
C:\WINDOWS\system32\netuq.exe
C:\WINDOWS\system32\ntjx32.exe
C:\WINDOWS\system32\sdkgr.exe
C:\WINDOWS\system32\sdktx32.exe
C:\WINDOWS\system32\sdkud32.exe
C:\WINDOWS\system32\syske32.exe
C:\WINDOWS\system32\sysnq.exe
C:\WINDOWS\system32\systq32.exe
C:\WINDOWS\system32\winbf32.exe
C:\WINDOWS\system32\wincd.exe
C:\WINDOWS\system32\winfp32.exe
C:\WINDOWS\system32\winfp32.exe
C:\WINDOWS\system32\winfw32.exe
C:\WINDOWS\system32\winok32.exe
C:\WINDOWS\system32\winpx32.exe
C:\WINDOWS\system32\winvl32.exe
C:\WINDOWS\system32\winyr.exe
C:\WINDOWS\system32\winzm.exe
C:\WINDOWS\sysum.exe
C:\WINDOWS\syswx.exe
C:\WINDOWS\winjb32.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Important Step
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Remote Procedure Call (RPC) Helper
be sure to take just this one, the others are legit

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

***

Double click on the HSfix and when asked to merge say yes.

***

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

***

Run About:Buster. This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:
the log will have changed, so if you cannot find an entrie, move to the next.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\clsow.dll/sp.html#55135

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {9CAD02CC-BB43-75C0-802F-FB2C2F6800B4} - C:\WINDOWS\crsd32.dll

O4 - HKLM\..\Run: [d3oe.exe] C:\WINDOWS\system32\d3oe.exe

O4 - HKLM\..\RunOnce: [winfp32.exe] C:\WINDOWS\system32\winfp32.exe

O4 - HKLM\..\RunOnce: [crkr.exe] C:\WINDOWS\system32\crkr.exe

O4 - HKLM\..\RunOnce: [ntbu32.exe] C:\WINDOWS\ntbu32.exe

O4 - HKLM\..\RunOnce: [netti32.exe] C:\WINDOWS\netti32.exe

O4 - HKLM\..\RunOnce: [d3en.exe] C:\WINDOWS\system32\d3en.exe

O4 - HKLM\..\RunOnce: [sysum.exe] C:\WINDOWS\sysum.exe

O4 - HKLM\..\RunOnce: [javazg.exe] C:\WINDOWS\javazg.exe

O4 - HKLM\..\RunOnce: [apiip32.exe] C:\WINDOWS\apiip32.exe

O4 - HKLM\..\RunOnce: [netuq.exe] C:\WINDOWS\system32\netuq.exe

O4 - HKLM\..\RunOnce: [addzl32.exe] C:\WINDOWS\addzl32.exe

O4 - HKLM\..\RunOnce: [msdu.exe] C:\WINDOWS\system32\msdu.exe

O4 - HKLM\..\RunOnce: [ntjx32.exe] C:\WINDOWS\system32\ntjx32.exe

O4 - HKLM\..\RunOnce: [apphg32.exe] C:\WINDOWS\system32\apphg32.exe

O4 - HKLM\..\RunOnce: [atlhx32.exe] C:\WINDOWS\system32\atlhx32.exe

O4 - HKLM\..\RunOnce: [d3tk32.exe] C:\WINDOWS\system32\d3tk32.exe

O4 - HKLM\..\RunOnce: [atlob32.exe] C:\WINDOWS\system32\atlob32.exe

O4 - HKLM\..\RunOnce: [msbv.exe] C:\WINDOWS\system32\msbv.exe

O4 - HKLM\..\RunOnce: [atlao.exe] C:\WINDOWS\atlao.exe

O4 - HKLM\..\RunOnce: [javaju32.exe] C:\WINDOWS\javaju32.exe

O4 - HKLM\..\RunOnce: [sdkcd.exe] C:\WINDOWS\sdkcd.exe

O4 - HKLM\..\RunOnce: [syscb32.exe] C:\WINDOWS\syscb32.exe

O4 - HKLM\..\RunOnce: [sdkhv32.exe] C:\WINDOWS\sdkhv32.exe

O4 - HKLM\..\RunOnce: [atlxb32.exe] C:\WINDOWS\atlxb32.exe

O4 - HKLM\..\RunOnce: [appna32.exe] C:\WINDOWS\system32\appna32.exe

O4 - HKLM\..\RunOnce: [atloe.exe] C:\WINDOWS\atloe.exe

O4 - HKLM\..\RunOnce: [crvi.exe] C:\WINDOWS\crvi.exe

O4 - HKLM\..\RunOnce: [winfw32.exe] C:\WINDOWS\system32\winfw32.exe

O4 - HKLM\..\RunOnce: [appfk.exe] C:\WINDOWS\appfk.exe

O4 - HKLM\..\RunOnce: [addlb.exe] C:\WINDOWS\addlb.exe

O4 - HKLM\..\RunOnce: [crrd.exe] C:\WINDOWS\crrd.exe

O4 - HKLM\..\RunOnce: [msjk32.exe] C:\WINDOWS\msjk32.exe

O4 - HKLM\..\RunOnce: [atlqh.exe] C:\WINDOWS\system32\atlqh.exe

O4 - HKLM\..\RunOnce: [iexl.exe] C:\WINDOWS\iexl.exe

O4 - HKLM\..\RunOnce: [mszt.exe] C:\WINDOWS\mszt.exe

O4 - HKLM\..\RunOnce: [mfcht.exe] C:\WINDOWS\system32\mfcht.exe

O4 - HKLM\..\RunOnce: [addtb.exe] C:\WINDOWS\addtb.exe

O4 - HKLM\..\RunOnce: [ntxj32.exe] C:\WINDOWS\ntxj32.exe

O4 - HKLM\..\RunOnce: [msif.exe] C:\WINDOWS\system32\msif.exe

O4 - HKLM\..\RunOnce: [crgg32.exe] C:\WINDOWS\system32\crgg32.exe

O4 - HKLM\..\RunOnce: [netua.exe] C:\WINDOWS\system32\netua.exe

O4 - HKLM\..\RunOnce: [d3pk.exe] C:\WINDOWS\d3pk.exe

O4 - HKLM\..\RunOnce: [ipcm32.exe] C:\WINDOWS\system32\ipcm32.exe

O4 - HKLM\..\RunOnce: [appnd.exe] C:\WINDOWS\appnd.exe

O4 - HKLM\..\RunOnce: [d3tx32.exe] C:\WINDOWS\d3tx32.exe

O4 - HKLM\..\RunOnce: [atlwi32.exe] C:\WINDOWS\system32\atlwi32.exe

O4 - HKLM\..\RunOnce: [msbl32.exe] C:\WINDOWS\msbl32.exe

O4 - HKLM\..\RunOnce: [syspn.exe] C:\WINDOWS\syspn.exe

O4 - HKLM\..\RunOnce: [javaup32.exe] C:\WINDOWS\javaup32.exe

O4 - HKLM\..\RunOnce: [iecb32.exe] C:\WINDOWS\iecb32.exe

O4 - HKLM\..\RunOnce: [atlmx.exe] C:\WINDOWS\system32\atlmx.exe

O4 - HKLM\..\RunOnce: [appky32.exe] C:\WINDOWS\system32\appky32.exe

O4 - HKLM\..\RunOnce: [atltc.exe] C:\WINDOWS\system32\atltc.exe

O4 - HKLM\..\RunOnce: [mshe32.exe] C:\WINDOWS\system32\mshe32.exe

O4 - HKLM\..\RunOnce: [addxl.exe] C:\WINDOWS\system32\addxl.exe

O4 - HKLM\..\RunOnce: [crcf.exe] C:\WINDOWS\crcf.exe

O4 - HKLM\..\RunOnce: [iepi.exe] C:\WINDOWS\system32\iepi.exe

O4 - HKLM\..\RunOnce: [sdkvk32.exe] C:\WINDOWS\sdkvk32.exe

O4 - HKLM\..\RunOnce: [mfciu32.exe] C:\WINDOWS\mfciu32.exe

O4 - HKLM\..\RunOnce: [sysno.exe] C:\WINDOWS\sysno.exe

O4 - HKLM\..\RunOnce: [sdkhn32.exe] C:\WINDOWS\sdkhn32.exe

O4 - HKLM\..\RunOnce: [atlmh32.exe] C:\WINDOWS\atlmh32.exe

O4 - HKLM\..\RunOnce: [msak.exe] C:\WINDOWS\system32\msak.exe

O4 - HKLM\..\RunOnce: [ipge.exe] C:\WINDOWS\ipge.exe

O4 - HKLM\..\RunOnce: [d3ez32.exe] C:\WINDOWS\d3ez32.exe

O4 - HKLM\..\RunOnce: [netkt.exe] C:\WINDOWS\netkt.exe

O4 - HKLM\..\RunOnce: [winjb32.exe] C:\WINDOWS\winjb32.exe

O4 - HKLM\..\RunOnce: [crov.exe] C:\WINDOWS\system32\crov.exe

O4 - HKLM\..\RunOnce: [ipnj.exe] C:\WINDOWS\ipnj.exe

O4 - HKLM\..\RunOnce: [addsd32.exe] C:\WINDOWS\addsd32.exe

O4 - HKLM\..\RunOnce: [apith.exe] C:\WINDOWS\apith.exe

O4 - HKLM\..\RunOnce: [ieac.exe] C:\WINDOWS\system32\ieac.exe

O4 - HKLM\..\RunOnce: [javabg.exe] C:\WINDOWS\javabg.exe

O4 - HKLM\..\RunOnce: [apigb32.exe] C:\WINDOWS\apigb32.exe

O4 - HKLM\..\RunOnce: [netpm.exe] C:\WINDOWS\netpm.exe

O4 - HKLM\..\RunOnce: [d3nf.exe] C:\WINDOWS\system32\d3nf.exe

O4 - HKLM\..\RunOnce: [crrv.exe] C:\WINDOWS\system32\crrv.exe

O4 - HKLM\..\RunOnce: [syswx.exe] C:\WINDOWS\syswx.exe

O4 - HKLM\..\RunOnce: [javabr.exe] C:\WINDOWS\javabr.exe

O4 - HKLM\..\RunOnce: [winzm.exe] C:\WINDOWS\system32\winzm.exe

O4 - HKLM\..\RunOnce: [ipmf.exe] C:\WINDOWS\ipmf.exe

O4 - HKLM\..\RunOnce: [apprz32.exe] C:\WINDOWS\system32\apprz32.exe

O4 - HKLM\..\RunOnce: [apifz32.exe] C:\WINDOWS\apifz32.exe

O4 - HKLM\..\RunOnce: [syske32.exe] C:\WINDOWS\system32\syske32.exe

O4 - HKLM\..\RunOnce: [javapy.exe] C:\WINDOWS\system32\javapy.exe

O4 - HKLM\..\RunOnce: [systq32.exe] C:\WINDOWS\system32\systq32.exe

O4 - HKLM\..\RunOnce: [javahk.exe] C:\WINDOWS\javahk.exe

O4 - HKLM\..\RunOnce: [crhy.exe] C:\WINDOWS\system32\crhy.exe

O4 - HKLM\..\RunOnce: [apius32.exe] C:\WINDOWS\apius32.exe

O4 - HKLM\..\RunOnce: [d3zf32.exe] C:\WINDOWS\system32\d3zf32.exe

O4 - HKLM\..\RunOnce: [netsw.exe] C:\WINDOWS\system32\netsw.exe

O4 - HKLM\..\RunOnce: [winyr.exe] C:\WINDOWS\system32\winyr.exe

O4 - HKLM\..\RunOnce: [winvl32.exe] C:\WINDOWS\system32\winvl32.exe

O4 - HKLM\..\RunOnce: [crvf.exe] C:\WINDOWS\crvf.exe

O4 - HKLM\..\RunOnce: [addtq.exe] C:\WINDOWS\addtq.exe

O4 - HKLM\..\RunOnce: [sdkcu.exe] C:\WINDOWS\sdkcu.exe

O4 - HKLM\..\RunOnce: [mfchw32.exe] C:\WINDOWS\system32\mfchw32.exe

O4 - HKLM\..\RunOnce: [javald.exe] C:\WINDOWS\javald.exe

O4 - HKLM\..\RunOnce: [sdkud32.exe] C:\WINDOWS\system32\sdkud32.exe

O4 - HKLM\..\RunOnce: [mfczg.exe] C:\WINDOWS\mfczg.exe

O4 - HKLM\..\RunOnce: [javask32.exe] C:\WINDOWS\javask32.exe

O4 - HKLM\..\RunOnce: [mfcxe.exe] C:\WINDOWS\system32\mfcxe.exe

O4 - HKLM\..\RunOnce: [atlvf32.exe] C:\WINDOWS\system32\atlvf32.exe

O4 - HKLM\..\RunOnce: [sdkzp32.exe] C:\WINDOWS\sdkzp32.exe

O4 - HKLM\..\RunOnce: [sdkcc.exe] C:\WINDOWS\sdkcc.exe

O4 - HKLM\..\RunOnce: [addmi32.exe] C:\WINDOWS\system32\addmi32.exe

O4 - HKLM\..\RunOnce: [crrc32.exe] C:\WINDOWS\crrc32.exe

O4 - HKLM\..\RunOnce: [sysnq.exe] C:\WINDOWS\system32\sysnq.exe

O4 - HKLM\..\RunOnce: [atlzv32.exe] C:\WINDOWS\system32\atlzv32.exe

O4 - HKLM\..\RunOnce: [winok32.exe] C:\WINDOWS\system32\winok32.exe

O4 - HKLM\..\RunOnce: [atlcm.exe] C:\WINDOWS\system32\atlcm.exe

O4 - HKLM\..\RunOnce: [ntmi.exe] C:\WINDOWS\ntmi.exe

O4 - HKLM\..\RunOnce: [javaeq.exe] C:\WINDOWS\system32\javaeq.exe

O4 - HKLM\..\RunOnce: [d3uc32.exe] C:\WINDOWS\d3uc32.exe

O4 - HKLM\..\RunOnce: [d3xr32.exe] C:\WINDOWS\d3xr32.exe

O4 - HKLM\..\RunOnce: [addin32.exe] C:\WINDOWS\system32\addin32.exe

O4 - HKLM\..\RunOnce: [d3re32.exe] C:\WINDOWS\system32\d3re32.exe

O4 - HKLM\..\RunOnce: [wincd.exe] C:\WINDOWS\system32\wincd.exe

O4 - HKLM\..\RunOnce: [javapf.exe] C:\WINDOWS\system32\javapf.exe

O4 - HKLM\..\RunOnce: [apiwl.exe] C:\WINDOWS\apiwl.exe

O4 - HKLM\..\RunOnce: [winbf32.exe] C:\WINDOWS\system32\winbf32.exe

O4 - HKLM\..\RunOnce: [apipr32.exe] C:\WINDOWS\system32\apipr32.exe

O4 - HKLM\..\RunOnce: [netwr32.exe] C:\WINDOWS\netwr32.exe

O4 - HKLM\..\RunOnce: [addkt32.exe] C:\WINDOWS\system32\addkt32.exe

O4 - HKLM\..\RunOnce: [msdq32.exe] C:\WINDOWS\system32\msdq32.exe

O4 - HKLM\..\RunOnce: [netvf.exe] C:\WINDOWS\netvf.exe

O4 - HKLM\..\RunOnce: [crym32.exe] C:\WINDOWS\system32\crym32.exe

O4 - HKLM\..\RunOnce: [mskl32.exe] C:\WINDOWS\system32\mskl32.exe

O4 - HKLM\..\RunOnce: [sdktx32.exe] C:\WINDOWS\system32\sdktx32.exe

O4 - HKLM\..\RunOnce: [sdkgr.exe] C:\WINDOWS\system32\sdkgr.exe

O4 - HKLM\..\RunOnce: [crjj.exe] C:\WINDOWS\crjj.exe

O4 - HKLM\..\RunOnce: [netsy.exe] C:\WINDOWS\netsy.exe

O4 - HKLM\..\RunOnce: [winpx32.exe] C:\WINDOWS\system32\winpx32.exe

O4 - HKLM\..\RunOnce: [javavr.exe] C:\WINDOWS\system32\javavr.exe

O4 - HKLM\..\RunOnce: [mfcbb.exe] C:\WINDOWS\system32\mfcbb.exe

O4 - HKLM\..\RunOnce: [iehv32.exe] C:\WINDOWS\iehv32.exe

O4 - HKLM\..\RunOnce: [appau32.exe] C:\WINDOWS\system32\appau32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{2D998DE2-4493-46B3-BB6D-9B8C6CEA399C}: NameServer = 69.50.176.198,195.225.176.153

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D0E3684-65E3-4E49-99A0-1B1F2AEC82D1}: NameServer = 69.50.176.198,195.225.176.153

O17 - HKLM\System\CCS\Services\Tcpip\..\{550C0DC7-C0A1-41DD-A074-45C4E24F14C8}: NameServer = 69.50.176.198,195.225.176.153

O17 - HKLM\System\CCS\Services\Tcpip\..\{9051DFE4-2CEE-4D20-8422-64D317D48450}: NameServer = 69.50.176.198,195.225.176.153

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Run Ewido Security Suite
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

***

Reboot back to normal mode.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Download CleanUp!.
If that doesnt work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.
Post back (maybe you will need more than one post :thumbsup: ):
About:Buster logs
Ewido log
Panda report
HijackThis log.


Posted Image
Life is what happens while you're making other plans

#4 katiecalf

katiecalf
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 12 September 2005 - 10:47 AM

hi
okay just got on your site and found this reply
I had not been able to access your site but in the meantime I finally got on to Active Scan site through a link from another site and ran the scan. It found the 2 viruses and said it cleaned them . I have included the scan results and also then ran a new hijackthis.log and included it here
The question I have is should I continue with the instructions above ? The reason I ask is because of the following that you had in it.[QUOTE]Download and unzip HSfix to your desktop.

The above Registry file was written specifically for this infection and is not to be used on any other infection as it could damage a person's PC

Incident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkud32.exe
Spyware:spyware/wareout No disinfected C:\DOCUMENTS AND SETTINGS\MUNCHKIN\APPLICATION DATA\wo.tmp
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkre.exe
Dialer:Dialer.BMT No disinfected C:\WINDOWS\system32\cithlper.exe
Adware:Adware/StartPage.AFZ No disinfected C:\WINDOWS\dafrfr.dat
Virus:Backdoor Program.AP Disinfected C:\WINDOWS\1086368891.dll
Adware:Adware/StartPage.AFZ No disinfected C:\WINDOWS\elynzy.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netwb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atley32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\xunyj.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\wgwlpo.txt
Virus:Backdoor Program.AP Disinfected C:\Documents and Settings\Munchkin\Local Settings\Temp\1B.tmp


Logfile of HijackThis v1.99.1
Scan saved at 8:52:29 AM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Gilat\IBQoS\ibqossvc.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\Program Files\Gilat\NetAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\syskq.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ievh32.exe
C:\Documents and Settings\Munchkin\Desktop\NEW downloads\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.yahoo.com/{sub_rfc1766}/s...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {49E13B83-C734-1261-571F-007C0D7C4540} - C:\WINDOWS\netjp32.dll (file missing)
O2 - BHO: Class - {4B291C5E-763D-6544-2D51-7653D4F8C405} - C:\WINDOWS\system32\mfcev.dll
O2 - BHO: Class - {9CAD02CC-BB43-75C0-802F-FB2C2F6800B4} - C:\WINDOWS\crsd32.dll (file missing)
O2 - BHO: Class - {A47B913E-2FC8-8C92-CFF4-E3D1BB4B3486} - C:\WINDOWS\system32\appdj.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [apiqc32.exe] C:\WINDOWS\apiqc32.exe
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D998DE2-4493-46B3-BB6D-9B8C6CEA399C}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D0E3684-65E3-4E49-99A0-1B1F2AEC82D1}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{550C0DC7-C0A1-41DD-A074-45C4E24F14C8}: NameServer = 69.50.176.198,195.225.176.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{9051DFE4-2CEE-4D20-8422-64D317D48450}: NameServer = 69.50.176.198,195.225.176.153
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Gilat Quality Measurement Service (Gilat QMS) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service (GilatHSU) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service (GilatNetAgent) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Gilat IBQoS Agent (ibqossvc) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WgwService - Unknown owner - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe




I will wait for an answer from you
Katie

#5 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:28 AM

Posted 12 September 2005 - 04:45 PM

Yes please follow the entire advise step by step.
You know I won't harm your computer :thumbsup: You really need this.


Posted Image
Life is what happens while you're making other plans

#6 katiecalf

katiecalf
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 13 September 2005 - 08:36 PM

HI,
I printed all instructions and followed them totally
I will list problems I had
after deleting all the files with Killbox when the last file you were to reboot. your instructions said to click "no" at teh Pending Operations prompt. I never got the prompt what I got was the following box
"Pending file rename Peration Registry Data has been removed by external Process"

I continued anyway into safe mode and did what was listed the next problem was with Hsfix you had said when asked to merge say yes.
never asked for a merge stated
asked if wanted to add imformation to c:\documents and settings\munchkind\desktop\hsfxz???? reg to the restistry sorry couldn't read my writing
next in hijackthis log there was an entry for O4 - HKLM\..\RunOnce: [iehv32.exe] C:\WINDOWS\iehv32.exe
could not find that but had exact only with ievh but since not exact I did not check it
Next: when I tryed to run Ewido it closed itself out and I was unable to do complete scan or make a report.
after booting to normal mode I did try running it again but it closed itself out once again so I went on to next step .
so I will enclose the about:buster log the panda activescan report and the new hijackthis log and hopefully I haven't screwed something up :thumbsup:

AboutBuster 5.0 reference file 31
Scan started on [9/13/2005] at [3:47:14 PM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\Windows\gwohvz.dat
Removed File! : C:\Windows\wkwecl.dat
Removed File! : C:\Windows\junetj.dat
Removed File! : C:\Windows\phjspo.dat
Removed File! : C:\Windows\glnvm.dat
Removed File! : C:\Windows\cstiue.dat
Removed File! : C:\Windows\xwytyy.dat
Removed File! : C:\Windows\iwvjhy.dat
Removed File! : C:\Windows\predap.dat
Removed File! : C:\Windows\hxbswy.dat
Removed File! : C:\Windows\System32\pxjhq.dll
Removed File! : C:\Windows\System32\ublpn.dat
Removed File! : C:\Windows\System32\hsqan.dat
Removed File! : C:\Windows\System32\zqeah.dat
Removed File! : C:\Windows\System32\utujt.dat
Removed File! : C:\Windows\System32\sttry.dat
Removed File! : C:\Windows\System32\golud.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:48:37 PM



will post Active scan and Hijackthis log as 2 replys
Katie

#7 katiecalf

katiecalf
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 13 September 2005 - 08:37 PM

Incident Status Location

Virus:Trj/Agent.AMI Disinfected Operating system
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkcb32.exe
Spyware:spyware/petro-line No disinfected C:\Documents and Settings\Munchkin\Favorites\SITES ABOUT\Credit counseling.url
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\d3sb32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\addsb.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\mfcov.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\d3ll.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\crkl32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\javacv32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\applv.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\addrg32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\ntcm.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\adddi32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\syspu32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\javauw.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\ieec32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\yhvzg.dll
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\iexi32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\sdkkm32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\sysvg.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\javagf32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\mfcui.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\d3kk32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\winmt32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\apimk32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\winml32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\netow32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\sysxi32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\netjq.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\apimt32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\netnp32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\iegp.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\addep32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\d3nw32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\addzg32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\apigk32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\ieue32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\addkg.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\sdkjt32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\mfcjh32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\crvm.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\netcc32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\apiop.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\iplo.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\netpd.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\mshh.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\ntms.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\sdkhr.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkre.exe
Dialer:Dialer.BMT No disinfected C:\WINDOWS\system32\cithlper.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\sdkyx32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\mfcpm32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\crys.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\javaci.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\d3mn32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\atlqv.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\sdkgy32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\apidk.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\winwa32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\javacd32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\crvq.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\sysac.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\mfcau32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\appur.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atlcp32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\netnn.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\system32\nethy.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\hindli.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\werwxy.dat
Adware:Adware/StartPage.AFZ No disinfected C:\WINDOWS\dafrfr.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\xnthfg.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\crov32.exe
Adware:Adware/StartPage.AFZ No disinfected C:\WINDOWS\elynzy.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\winzl.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\javawv32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\adjmmo.dat
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netwb.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\sdkze.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\jnoyus.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atley32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\mfcey.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\cfigbn.txt
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\appyi32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\crgo.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\hhatss.txt
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\addys32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\netue32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\atlxm32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\sdkie.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ntkc32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ntmm32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\netbt.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\ynhmmm.txt
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ntpc.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\qsfupx.txt
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\mscj.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\nowblg.txt
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\mfckf32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\syspi.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ffvwwh.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\crdo.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\zuitp.dll
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ewosvf.txt
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\netzu.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\netib32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ntgf.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\kanpzl.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\croi.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\mtpgoz.log
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\atlqw32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\sdkkb32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\addad32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\winpd32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\apibh.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ntqd.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\d3ql.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\appfi.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ntbc.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ipbp32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\appac32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\netcx32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\netfe32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\djgqvf.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\eqqixt.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\winbz32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\wwyzad.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\evfugb.dat
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\jgownh.log
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\netzv32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\msjg.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\ntso.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\atldw32.exe
Virus:Trj/Agent.AMI Disinfected C:\WINDOWS\sdkwz.exe
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP331\A0036530.dll
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP332\A0037585.exe
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP332\A0037629.dll
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP332\A0037630.dll
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP334\A0037975.EXE
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP334\A0037978.dll
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP334\A0037979.dll
Virus:Backdoor Program.AP Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP334\A0038022.dll
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038076.exe
Adware:Adware/Startpage.VQ No disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038078.DLL
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038089.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038091.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038099.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038100.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038101.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038104.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038105.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038111.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038112.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038113.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038115.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038116.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038117.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038119.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038121.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038122.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038123.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038126.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038128.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038131.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038134.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038135.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038140.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038141.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038143.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038146.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038147.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038150.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038151.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038153.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038156.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038157.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038159.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038161.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038164.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038165.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038167.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038169.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038171.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038172.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038173.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038174.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038181.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038182.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038183.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038185.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038191.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038192.exe
Virus:Trj/Agent.AMI Disinfected C:\System Volume Information\_restore{D155EAEE-0CC1-41E6-8858-6A252D014289}\RP335\A0038195.exe

#8 katiecalf

katiecalf
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 13 September 2005 - 08:39 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:38:13 PM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ievh32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Gilat\IBQoS\ibqossvc.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\Program Files\Gilat\NetAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winau32.exe
C:\Documents and Settings\Munchkin\Desktop\NEW downloads\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {6063B540-F6FC-513E-26EA-016F982EFF4A} - C:\WINDOWS\javawv32.dll
O2 - BHO: Class - {EC0DCF51-1005-877B-C873-10B3F0156A8C} - C:\WINDOWS\system32\addlr32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ievh32.exe] C:\WINDOWS\system32\ievh32.exe
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O4 - HKLM\..\RunOnce: [winau32.exe] C:\WINDOWS\system32\winau32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\ipjp32.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gilat Quality Measurement Service (Gilat QMS) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service (GilatHSU) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service (GilatNetAgent) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Gilat IBQoS Agent (ibqossvc) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WgwService - Unknown owner - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe


#9 katiecalf

katiecalf
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 14 September 2005 - 08:35 AM

glad I caught post before you have had chance to work with it
I had the virus program and spysweeper set to scan during the night adn when I got up it had caught a couple trojans and the spysweeper a couple spywares but what I did notice is there is no longer a recyle bin on the desktop
the shell of the icon is there but nothing behind it if you right click you get the option to delete copy create shortcut etc. I downloaded tweak U and when you go to desktop there is not the option of the recycle bin so I am guessing when I did the list of things you had me do I did somethiing wrong
Kate

#10 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:28 AM

Posted 14 September 2005 - 03:40 PM

Don't worry Kate, you didn't do anything wrong, it's part of the malware. We will get the recycle bin back.

"Pending file rename Peration Registry Data has been removed by external Process"
This is what I mean with the pending operation prompt.

I see Avast and Symantec. You need to run only one AntiVirus program. Otherwise it will conflict with the other and cause problems like this.

***

Please disable SpySweeper, as it will hinder the removal of some entries. Re-enable it after this advise.
To disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Exit Spysweeper.
***

Update About:Buster again. Don't run it.

***

Update AdAware SE 1.06. Don't run it yet.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Network Security Service (NSS)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

***

Download and unzip cwsserviceremove to your desktop. Use either link below:
http://computercops.biz/modules.php?name=F...ownload&id=3002
http://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zip
Don't do anything yet.

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Documents and Settings\Munchkin\Favorites\SITES ABOUT\Credit counseling.url
C:\WINDOWS\adjmmo.dat
C:\WINDOWS\atley32.exe
C:\WINDOWS\dafrfr.dat
C:\WINDOWS\elynzy.dat
C:\WINDOWS\hhatss.txt
C:\WINDOWS\ipjp32.exe
C:\WINDOWS\netwb.exe
C:\WINDOWS\rdt.ini
C:\WINDOWS\system32\atlcp32.exe
C:\WINDOWS\system32\ievh32.exe
C:\WINDOWS\SYSTEM32\sdkcb32.exe
C:\WINDOWS\system32\sdkre.exe
C:\WINDOWS\system32\winau32.exe
C:\WINDOWS\system32\yhvzg.dll
C:\WINDOWS\ynhmmm.txt
C:\WINDOWS\zuitp.dll

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Make sure it reboot's to safe mode.

***

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yhvzg.dll/sp.html#55135

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {6063B540-F6FC-513E-26EA-016F982EFF4A} - C:\WINDOWS\javawv32.dll

O2 - BHO: Class - {EC0DCF51-1005-877B-C873-10B3F0156A8C} - C:\WINDOWS\system32\addlr32.dll

O4 - HKLM\..\Run: [ievh32.exe] C:\WINDOWS\system32\ievh32.exe

O4 - HKLM\..\RunOnce: [winau32.exe] C:\WINDOWS\system32\winau32.exe

***

Run AboutBuster . This will scan your computer for the bad files and delete them.
Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

***

Scan with AdAware and let it remove any bad files found.

***

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

***

Double click on the cwsserviceremove and when asked to merge say yes.

***

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

***

Reboot into normal mode.

***

Download this file to your desktop.
Double-click the file and allow it to be added to the registry.

***

Please post me a fresh HijackThis log and the About:Buster logs.


Posted Image
Life is what happens while you're making other plans

#11 katiecalf

katiecalf
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 14 September 2005 - 10:48 PM

am not running anything other then Avast
I had removed through add/remove programs the Symantec program last year before I installed the Avast
there is a folder in c:\program files\commonFiles that it will not allow me to delete and 2 other files that it did allow me to remove
if you have any other suggestions before I do the above tasks please let me know
thanks

#12 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:28 AM

Posted 15 September 2005 - 02:48 AM

Please move on to the next steps.

Also post me this:
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post



Posted Image
Life is what happens while you're making other plans

#13 katiecalf

katiecalf
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 15 September 2005 - 07:17 AM

next steps being the post previous to the one that you want the uninstall list of or the list with the uninstall?
here is list of uninstall
I will not do the rest til I hear from you

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Reader 7.0
AOL Instant Messenger
AOL Instant Messenger Smiley Update 2.0
avast! Antivirus
Backup Dell-Installed Programs
Classic PhoneTools
CleanUp!
Documents To Go
ePocrates Clinical Suite
Event Planner
ewido security suite
Gangsters
Hallmark Card Studio 2003
HijackThis 1.99.1
Home Search Assistent
ICQ
Java 2 Runtime Environment, SE v1.4.2
Microsoft Data Access Components KB870669
Microsoft Expedia Streets & Trips 2000
Microsoft Office XP Small Business
MSN Messenger 6.2
Palm Desktop
Panda ActiveScan
PCPitstop Panda AntiVirus Scan (remove only)
Search Extender
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Shockwave
Shopping Wizard
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
StarBand Model 360
The Print Shop
ToolbarSetup
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Viewpoint Media Player (Remove Only)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Yahoo! Anti-Spy
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar

#14 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:28 AM

Posted 15 September 2005 - 05:20 PM

Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on
    Home Search Assistent
    Search Extender
  • Click on Delete this entry
  • Click "Yes"
Close HijackThis.

***

Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Open Process Manager"
  • Find and Click on
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
  • Click on "Kill Process" button
  • Click Yes
Close HijackThis

***

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Symantec Event Manager

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Do the same for this one:
Symantec Password Validation Service

***

Open HijackThis
click on "None of the above, just start the program".
click on the "Config" button (bottom right),
click on "Misc Tools"
click on "Delete an NT Service" (a window will pop up)
Enter the below item into that field (make sure there are NO spaces before or after the name):

ccEvtMgr

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.
Do the same for this one:
ccPwdSvc

Press 'back' and 'scan'.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Use Windows Explorer to remove these folders (the ones in bold!!):
C:\Program Files\Common Files\Symantec Shared\
C:\Program Files\Norton SystemWorks\
Close Windows Explorer.

***

Reboot the computer.

***

Post back a fresh HijackThis log to check.


Posted Image
Life is what happens while you're making other plans

#15 katiecalf

katiecalf
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:28 PM

Posted 15 September 2005 - 08:30 PM

I was not able to delete the following:
Enter the below item into that field (make sure there are NO spaces before or after the name):

ccEvtMgr

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.
Do the same for this one:
ccPwdSvc
This is error message:[COLOR=red]
Service you enered is system-critical! It can't be deleted
this was for both.

The following were not present in HiJackthis log
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe


In Windows explorer the following was not present:

C:\Program Files\Norton SystemWorks\



Logfile of HijackThis v1.99.1
Scan saved at 8:08:32 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Gilat\IBQoS\ibqossvc.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\Program Files\Gilat\NetAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ntuy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wingo32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Munchkin\Desktop\NEW downloads\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.yahoo.com/{sub_rfc1766}/s...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {6063B540-F6FC-513E-26EA-016F982EFF4A} - C:\WINDOWS\javawv32.dll (file missing)
O2 - BHO: Class - {B86BEFD1-FD7B-BF76-1007-90B9084541C0} - C:\WINDOWS\system32\wingo32.dll
O2 - BHO: Class - {C153994C-AEA2-92E8-F454-92CC43F0D55D} - C:\WINDOWS\addsc.dll (file missing)
O2 - BHO: Class - {EC0DCF51-1005-877B-C873-10B3F0156A8C} - C:\WINDOWS\system32\addlr32.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [wingo32.exe] C:\WINDOWS\system32\wingo32.exe
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O4 - HKLM\..\RunOnce: [ntuy.exe] C:\WINDOWS\system32\ntuy.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winau32.exe" /s (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gilat Quality Measurement Service (Gilat QMS) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service (GilatHSU) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service (GilatNetAgent) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Gilat IBQoS Agent (ibqossvc) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WgwService - Unknown owner - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users