Jump to content


Photo
- - - - -

SOS!


  • This topic is locked This topic is locked
92 replies to this topic

#1 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 04:11 PM

i'm pretty much overrun with a virus on one of my computers...it has 100% of the virtual memory being used
there are all these instinces of svchost running
a bunch of weird other programs, that if i let it keep going goes up to as many as 63 or so processes at a time

spybot keeps finding stuff that it fixes, but it does so every time it opens...somethings definitely wrong...

does anyone have any suggestions?

i have a bunch of icons that i didn't put on my desktop- most of which are about spyware and virus'
its totally trying to get me to buy their antivirus...
anyway..does anyone knwo what i have, or how i can rid it?

i'll post an up to date HJT in a moment

#2 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 04:29 PM

Logfile of HijackThis v1.99.0
Scan saved at 5:29:04 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bettersea...ee-discount.htm
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {A3AC2034-C8B8-E8EA-550B-B4A3591F15B7} - C:\WINDOWS\system32\msni32.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKLM\..\Run: [s39U3qV] psadsk.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtcd32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [appvg32.exe] C:\WINDOWS\appvg32.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\TEMP\Application Data\eetu.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107534934375
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4583
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\appvg32.exe

#3 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 04:34 PM

You have a few different infections

But we should be able to clear all of it

Let's try and tackle your first infections

Could you Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Please don't restart your computer again after supplying the Post_This.txt

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#4 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 05:25 PM

excellent.

i downloaded mozilla firefox, and it helps a lot. none of the pop ups are comin up. but it's still, definitely, muffed up

here it is

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 7, 2005 5:44:10 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: fyyylohj5
Display Name: fyyylohj5
Start Mode: Unknown
Start Name:
Description: ...
Service Type: Unknown
Path:
State: Running
Process ID: 1412
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: NOD32krn
Display Name: NOD32 Kernel Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\eset\nod32krn.exe
State: Running
Process ID: 1548
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{4af1c4a9-7593-4159-a089-20000a4dfd3b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: %AF
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\appvg32.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 82 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 1.515625 seconds.

#5 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 05:38 PM

Hold tough for a few minutes,

I take it the last log was either in safe mode or after you End process on a lot of
things running in the background
In your next log can you try and Start in Normal and don't end process on anything
Thanks......

But let me try some fixes first and let's see how you look later

I'm uploading a few attachments at the bottom of this reply
Can you Download them all to your desktop and then UNZIP them all to your desktop

By the way, I wouldn't be without Firefox :D

Ill post back with some cleaning procedures in a few minutes

[attachment=10:attachment][attachment=11:attachment][attachment=12:attachment]

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#6 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 05:44 PM

the downloads are timing out. i'll be back once i restart the computer and i'll post the log


it may be a while...it's kind of hard to run the computer with all 63 or so processes running...wish me luck!


thank you so much
jordan

#7 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 05:47 PM

okay i got them downloaded...restarting now

#8 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 05:52 PM

Does your notepad work?
Go to START>>Run>>type in notepad
and hit Enter

If you can't download those attachments let me know

Are you able to do this
Create a New folder on your Desktop, call it AboutBuster
Download to desktop ABOUT:BUSTER.zip
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

EDIT>>>I just seen your above post
So I assume you can download the above in Safe mode
If not, are you capable of receiving attachments in your email??



STAY in Normal mode and post the log or RESTART in SAFE MODE with Networking
But try not to restart again until after I see the log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#9 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 06:12 PM

as of now, i can't get anything to work on that computer...it starts up, loads a few things...and then says "cannot find wnim.dll" or something like this...

and then everything seems A. Okay...but then i go to the web, or go to my computer...or really try to open anything- even pressing control alt delete

and it just endlessly thinks

this wouldn't have to do with those registry files i downloaded, would it? cuz it was working before i got them...anyway, i'm gonna let it cool down and i'll get back to work...haven't restarted in safe mode yet...but that's the next step...i'm gonna give it a half hour first..perhaps it will remember what it's thinking about...cuz it's hour glassing as of now...maybe it will figure it out.

#10 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 06:15 PM

Downloading those and unzipping them to the desktop will do no harm at all
Did you merge them already?

I just needed you to download them for now

Don't do anything else without instructions

We can work off your first log if you can't post anything else

Slow down and don't get ahead of yourself on this.......... ;)

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#11 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 06:28 PM

i did open the files that unzipped...is that horrible?


upon restarting... it didn't seem like windows messenger would ever really establish itself (B