Jump to content


Photo
- - - - -

SOS!


  • This topic is locked This topic is locked
92 replies to this topic

#1 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 04:11 PM

i'm pretty much overrun with a virus on one of my computers...it has 100% of the virtual memory being used
there are all these instinces of svchost running
a bunch of weird other programs, that if i let it keep going goes up to as many as 63 or so processes at a time

spybot keeps finding stuff that it fixes, but it does so every time it opens...somethings definitely wrong...

does anyone have any suggestions?

i have a bunch of icons that i didn't put on my desktop- most of which are about spyware and virus'
its totally trying to get me to buy their antivirus...
anyway..does anyone knwo what i have, or how i can rid it?

i'll post an up to date HJT in a moment

#2 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 04:29 PM

Logfile of HijackThis v1.99.0
Scan saved at 5:29:04 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bettersea...ee-discount.htm
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {A3AC2034-C8B8-E8EA-550B-B4A3591F15B7} - C:\WINDOWS\system32\msni32.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKLM\..\Run: [s39U3qV] psadsk.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtcd32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [appvg32.exe] C:\WINDOWS\appvg32.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\TEMP\Application Data\eetu.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107534934375
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4583
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\appvg32.exe

#3 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 04:34 PM

You have a few different infections

But we should be able to clear all of it

Let's try and tackle your first infections

Could you Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Please don't restart your computer again after supplying the Post_This.txt

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#4 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 05:25 PM

excellent.

i downloaded mozilla firefox, and it helps a lot. none of the pop ups are comin up. but it's still, definitely, muffed up

here it is

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 7, 2005 5:44:10 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: fyyylohj5
Display Name: fyyylohj5
Start Mode: Unknown
Start Name:
Description: ...
Service Type: Unknown
Path:
State: Running
Process ID: 1412
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: NOD32krn
Display Name: NOD32 Kernel Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\eset\nod32krn.exe
State: Running
Process ID: 1548
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{4af1c4a9-7593-4159-a089-20000a4dfd3b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: %AF
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\appvg32.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 82 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 1.515625 seconds.

#5 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 05:38 PM

Hold tough for a few minutes,

I take it the last log was either in safe mode or after you End process on a lot of
things running in the background
In your next log can you try and Start in Normal and don't end process on anything
Thanks......

But let me try some fixes first and let's see how you look later

I'm uploading a few attachments at the bottom of this reply
Can you Download them all to your desktop and then UNZIP them all to your desktop

By the way, I wouldn't be without Firefox :D

Ill post back with some cleaning procedures in a few minutes

[attachment=10:attachment][attachment=11:attachment][attachment=12:attachment]

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#6 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 05:44 PM

the downloads are timing out. i'll be back once i restart the computer and i'll post the log


it may be a while...it's kind of hard to run the computer with all 63 or so processes running...wish me luck!


thank you so much
jordan

#7 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 05:47 PM

okay i got them downloaded...restarting now

#8 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 05:52 PM

Does your notepad work?
Go to START>>Run>>type in notepad
and hit Enter

If you can't download those attachments let me know

Are you able to do this
Create a New folder on your Desktop, call it AboutBuster
Download to desktop ABOUT:BUSTER.zip
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

EDIT>>>I just seen your above post
So I assume you can download the above in Safe mode
If not, are you capable of receiving attachments in your email??



STAY in Normal mode and post the log or RESTART in SAFE MODE with Networking
But try not to restart again until after I see the log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#9 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 06:12 PM

as of now, i can't get anything to work on that computer...it starts up, loads a few things...and then says "cannot find wnim.dll" or something like this...

and then everything seems A. Okay...but then i go to the web, or go to my computer...or really try to open anything- even pressing control alt delete

and it just endlessly thinks

this wouldn't have to do with those registry files i downloaded, would it? cuz it was working before i got them...anyway, i'm gonna let it cool down and i'll get back to work...haven't restarted in safe mode yet...but that's the next step...i'm gonna give it a half hour first..perhaps it will remember what it's thinking about...cuz it's hour glassing as of now...maybe it will figure it out.

#10 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 06:15 PM

Downloading those and unzipping them to the desktop will do no harm at all
Did you merge them already?

I just needed you to download them for now

Don't do anything else without instructions

We can work off your first log if you can't post anything else

Slow down and don't get ahead of yourself on this.......... ;)

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#11 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 06:28 PM

i did open the files that unzipped...is that horrible?


upon restarting... it didn't seem like windows messenger would ever really establish itself (BTW windows messenger isn't something i ever had set up, and when i first contracted this virus, it openend...and a few peoples email addresses that i know had messaged me... so i think maybe this virus is using the program to send out information)

so i colsed it down...if u need me to wait thru it's opening (which was the cause, so it seems- of my long delayed startup) i will try to do so, let me know


here's the post. this with everything running


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 7, 2005 7:25:09 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: fyyylohj5
Display Name: fyyylohj5
Start Mode: Unknown
Start Name:
Description: ...
Service Type: Unknown
Path:
State: Running
Process ID: 1832
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: NOD32krn
Display Name: NOD32 Kernel Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\eset\nod32krn.exe
State: Running
Process ID: 356
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{4af1c4a9-7593-4159-a089-20000a4dfd3b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: %AF
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: "c:\windows\appvg32.exe" /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 82 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 78.29688 seconds.

#12 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 06:34 PM

I assume now your in safe mode
Were you able to download about:buster? Were you able to check for updates and download them?
Are you able to download on the machine right now?

Post another Hijackthis log and try not too restart again!!!!!!!

That log you just showed me is another log from Servicefilter
I don't need to see that right now

I need to see a fresh hijackthis log, were you able to manage to do that in Normal Mode?

Sorry for any confusion, I should of said a fresh hijackthis log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#13 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 06:39 PM

i'm in normal mode now...i downloaded and updated the program you mentioned...and here's a log from hijackthis

with everything (minus windows messenger) running


Logfile of HijackThis v1.99.0
Scan saved at 7:38:37 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\soft.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\tibs5.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\WINDOWS\System32\psadsk.exe
C:\WINDOWS\crne32.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\offuk.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\appvg32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true (obfuscated)
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {A3AC2034-C8B8-E8EA-550B-B4A3591F15B7} - C:\WINDOWS\system32\msni32.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKLM\..\Run: [s39U3qV] psadsk.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtcd32.exe
O4 - HKLM\..\RunOnce: [appvg32.exe] C:\WINDOWS\appvg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKCU\..\Run: [d0q8RkZ5R] offuk.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107534934375
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4583
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\appvg32.exe

#14 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 06:45 PM

Good work, let me know if you are able to download this tool also

Download and UNZIP to a folder Hoster by Toadbee
We'll need this later

Then we'll try some fixes, if you have to Restart in safe mode to download it, do so
But stay in safe mode

Don't restart back into Normal mode again until prompted

I seen you had Windows CleanUp! installed, we'll need that later too since you have it

So Let me know if you can download that tool and get ready to restart into safe mode

Do so now if you have too

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#15 Guest_boogieonrw._*

Guest_boogieonrw._*
  • Guests

Posted 07 February 2005 - 07:38 PM

i am now in safe mode

#16 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 08:02 PM

i'll leave that computer on in safe mode just awaiting your response. thanks a lot you are a godsend

how did u learn so much about all this stuff, anyways?

#17 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 February 2005 - 08:26 PM

You definitely have some cleaning to do
Follow these instructions closely

I have no idea if you were able to download Hoster or not?

But for now

Stay in safe mode
Print this out or Save it to a Notepad file on the Desktop

Disconnect from the Internet

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

===Next: Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service (NSS) <--careful, there are others that looks similiar, your after this one

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic

Do the same for this Service name if found
fyyylohj5

===Stay in safe mode and navigate to these files or folders and delete them if they exist
c:\windows\system32\tvshdg.exe <--this file
C:\WINDOWS\system32\n20050308.exe
C:\WINDOWS\System32\soft.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\System32\psadsk.exe
C:\WINDOWS\crne32.exe
C:\WINDOWS\System32\offuk.exe
C:\WINDOWS\System32\msxmidi.exe
C:\WINDOWS\appvg32.exe
C:\windows\system32\kalvtcd32.exe
C:\WINDOWS\SYSTEM\wnim.dll
C:\WINDOWS\system32\msni32.dll
C:\WINDOWS\ZServ.dll

C:\WINDOWS\isrvs <--this folder
C:\Program Files\ISTsvc <--folder

===In safe mode
Do another Scan with Hijackthis and put a check next to these entries

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {A3AC2034-C8B8-E8EA-550B-B4A3591F15B7} - C:\WINDOWS\system32\msni32.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKLM\..\Run: [s39U3qV] psadsk.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtcd32.exe
O4 - HKLM\..\RunOnce: [appvg32.exe] C:\WINDOWS\appvg32.exe

O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKCU\..\Run: [d0q8RkZ5R] offuk.exe

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4583
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\appvg32.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Again, in safe mode
===Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

===Double click on cwsserviceremove.reg you unzipped to desktop earlier
and Allow it to merge to the Registry

===Double click on searchmiracle.reg again-- allow to merge

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

===Open HOSTER and click on "RESTORE ORIGINAL HOSTS"

===Open up Windows CleanUp! and click the CleanUp button
When it's done

RESTART back to Normal mode
Run About:Buster again and save the log

Do another scan with Hijackthis and post a log
Also post the About:Buster logs

We will still have some cleaning to do, but do the above first, all if possible, or as much as you can and then post the new logs
Please read it over carefully

After you have posted the logs, try not to Restart again

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#18 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 07 February 2005 - 11:53 PM

something odd i just realized- it is logging me into windows messenger without me typing in password, or ever even setting up the program...so i guess it stole my password from .NET (i use Email Removed)

so now i guess i have to change all my passwords, no biggie

anyway, also - symptoms- just so u know what we're dealing with...we have like, 5 new links on my desktop...spyware avenger, virus hunter security, popupblocker stops popups, evidence eraser, and your platinum visa card.... they all come up when i start up... i have this search bar above the date in the bottom right... there is NO memory, everythings damn slow, popups galore including java script ones that try to get me to click okay...
i found a program called ddddd.exe or something on my harddrive that had a pornographic icon, and it was in use and couldn't be deleted even in safe mode...


Do i need to get those cws and the other program again from you, because my computer lost them (unbelievable to me too- but the time i downloaded them it could not find my user profile, and it gave me a default desktop ....and now when i search my computer for them, it says they don't exist.)

so here's the diagnostic stuff. i am running nromal mode now


Okay, here we go-




Scanned at: 10:09:59 PM on: 2/7/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\aeqxg.dll
Removed! : C:\WINDOWS\awtkw.dll
Removed! : C:\WINDOWS\cinkm.dll
Removed! : C:\WINDOWS\jydcf.dll
Removed! : C:\WINDOWS\ktekt.dll
Removed! : C:\WINDOWS\mogvb.dll
Removed! : C:\WINDOWS\mqjum.dll
Removed! : C:\WINDOWS\oajrh.dll
Removed! : C:\WINDOWS\oaxst.dll
Removed! : C:\WINDOWS\ofmef.dll
Removed! : C:\WINDOWS\rdiaf.dll
Removed! : C:\WINDOWS\sancr.dll
Removed! : C:\WINDOWS\tgtws.dll
Removed! : C:\WINDOWS\umora.dll
Removed! : C:\WINDOWS\vlkbd.dll
Removed! : C:\WINDOWS\wugzt.dll
Removed! : C:\WINDOWS\xqyhu.dll
Removed! : C:\WINDOWS\xtcfr.dll
Removed! : C:\WINDOWS\zhrpv.dll
Removed! : C:\WINDOWS\zkczj.dll
Removed! : C:\WINDOWS\znjom.dll
Removed! : C:\WINDOWS\System32\bukpc.dll
Removed! : C:\WINDOWS\System32\fnnhk.dat
Removed! : C:\WINDOWS\System32\itwnd.dll
Removed! : C:\WINDOWS\System32\jbfjt.dll
Removed! : C:\WINDOWS\System32\lqsad.dll
Removed! : C:\WINDOWS\System32\ojfsq.dll
Removed! : C:\WINDOWS\System32\owkrz.dll
Removed! : C:\WINDOWS\System32\pncfj.dll
Removed! : C:\WINDOWS\System32\qirdo.dll
Removed! : C:\WINDOWS\System32\qksza.dll
Removed! : C:\WINDOWS\System32\qpzhb.dll
Removed! : C:\WINDOWS\System32\qwjvr.dll
Removed! : C:\WINDOWS\System32\rntkk.dll
Removed! : C:\WINDOWS\System32\tvhqe.dll
Removed! : C:\WINDOWS\System32\vjbfj.dat
Removed! : C:\WINDOWS\System32\vpkqb.dll
Removed! : C:\WINDOWS\System32\vqpzh.dat
Removed! : C:\WINDOWS\System32\wzbft.dll
Removed! : C:\WINDOWS\System32\xwzbf.dat
Removed! : C:\WINDOWS\System32\yofme.dat
Removed! : C:\WINDOWS\System32\ypefs.dll
Removed! : C:\WINDOWS\System32\ysntc.dll
Removed! : C:\WINDOWS\System32\zomyp.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 12:45:01 AM on: 2/8/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!





Logfile of HijackThis v1.97.7
Scan saved at 12:46:01 AM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\qbrurzrw5.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\jordan\Application Data\eetu.exe
C:\WINDOWS\System32\m?iexec.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\windows\system32\packager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\jordan\Desktop\AboutBuster\AboutBuster\AboutBuster.exe
C:\Documents and Settings\jordan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us.mcafee.com...ystempopup=true (obfuscated)
F1 - win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - C:\WINDOWS\System32\gmapuiud.dll
O2 - BHO: (no name) - {F88F8875-03DC-4821-9D1E-193A135D0CF2} - C:\WINDOWS\System32\qlc.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKCU\..\Run: [d0q8RkZ5R] offuk.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\jordan\Application Data\eetu.exe
O4 - HKCU\..\Run: [Vlzxmfa] C:\WINDOWS\System32\m?iexec.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107534934375
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4583
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#19 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 01:18 AM

I won't be able to see your log until tomorrow
You also ran a scan with Hijackthis 1.97.7

I need to see a log from Hijackthis 1.99
Delete the one on the desktop
Only use the one from C:\HJT

I'll upload the required files again>>>UNZIP them all to desktop

Download and Install
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacools...areblaster.html

After Installation ensure your Active X settings are set like this
In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

Look in your C:\Windows\system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder, it's a needed file

Also save to desktop CWShredder.exe
Don't run it yet

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When you Install Ad-Aware it may Update and start running a scan
Allow to update, don't run a scan yet

Stay in normal mode
Open Hijackthis 1.99
Open Misc tools section
Open Process Manager
Kill these processes if still running
C:\WINDOWS\System32\qbrurzrw5.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\Documents and Settings\jordan\Application Data\eetu.exe
C:\WINDOWS\System32\m?iexec.exe


Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345

F1 - win.ini: run=C:\WINDOWS\System32\soft.exe

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - C:\WINDOWS\System32\gmapuiud.dll
O2 - BHO: (no name) - {F88F8875-03DC-4821-9D1E-193A135D0CF2} - C:\WINDOWS\System32\qlc.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe

O4 - HKCU\..\Run: [d0q8RkZ5R] offuk.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\jordan\Application Data\eetu.exe
O4 - HKCU\..\Run: [Vlzxmfa] C:\WINDOWS\System32\m?iexec.exe

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4583


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Open CWShredder and click ONLY the FIX button
Let it fix all problems

RESTART into Safe mode

Access your add/remove programs and remove if found
iSearch Toolbar


Stay in safe mode and delete if found
C:\WINDOWS\System32\soft.exe <--this file
C:\WINDOWS\System32\gmapuiud.dll
C:\WINDOWS\System32\qlc.dll
c:\windows\system32\tvshdg.exe
C:\Documents and Settings\jordan\Application Data\eetu.exe
C:\WINDOWS\ZServ.dll
Do a search for the next 2
ZServ.inf
zserv.cab


C:\WINDOWS\isrvs <--this folder

Stay in Safe mode

Open about:Buster and run scan's again, saving the logs

RIGHT CLICK on Deldomains.inf and choose Install

Merge the other 2 to you downloaded and unzipped to your desktop
cwsserviceremove.reg
searchmiracle.reg


Open HOSTER and Restore Original Hosts

Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process

To see what else needs cleaning
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back a fresh hijackthis log afterwards too

We'll still have some more cleaning but I need to see an updated hijackthis log from version 1.99




[attachment=14:attachment][attachment=15:attachment][attachment=16:attachment]

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#20 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 10:59 AM

File C:\WINDOWS\System32\qbrurzrw5.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Explorer.EXE infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WinTitle.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Explorer.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\qbrurzrw5.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iconu.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msxmidi.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dddd.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eliteztm32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nndptyl.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\DrTemp\thnall1b.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\IH1DC.tmp infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\suicidetb.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI311E.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI52C2.tmp\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI52C2.tmp\polall1b.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI5713.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI6432.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\014D63SJ\mtrslib2[1].js infected by "Trojan-Downloader.JS.Small.ag" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\silent_install[1].exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\CDWXYTCP\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\CDWXYTCP\sideb[1].exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\CDWXYTCP\silent[1].exe infected by "Trojan-Downloader.Win32.Small.sg" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\CDWXYTCP\thnall1b[1].exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.


i'll post the hijackthis in a few