TheTechGuide Forum
General Category => Tech Clinic => Topic started by: Venom on June 16, 2005, 06:37:10 PM
-
I know there are hundreds of post like this one, but they all seem to differ a little. Here is my log. Can someone please help to remove the virus. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 11:38:45 PM, on 6/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\NFORENC.EXE
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\IGFXSRVC.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\llrnvk.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMAN.EXE
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\Ktxzxp\Qaujigu.exe
C:\Program Files\Kahkhh\Obuxwzn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\Services\{C32211F9-BD6C-4AC4-BF1A-2ED29E2D53BC}\SVCHOST.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\YSERVER.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\big irv\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.clicksearchclick.com/index.php?aff=9 (http://\"http://www.clicksearchclick.com/index.php?aff=9\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://yahoo.sbc.com/dsl (http://\"http://yahoo.sbc.com/dsl\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl (http://\"http://yahoo.sbc.com/dsl\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://minisearch.startnow.com/ (http://\"http://minisearch.startnow.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972}
- (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -
C:\WINDOWS\cfgmgr52.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE
C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [NFORENC] C:\WINDOWS\NFORENC.EXE
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All
Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey
Utility\HKserv.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [7e178fb275f7] C:\WINDOWS\System32\IGFXSRVC.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe
E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\llrnvk.exe reg_run
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Ofbmephd] C:\Program Files\Ktxzxp\Qaujigu.exe
O4 - HKLM\..\Run: [Tzgxcrwx] C:\Program Files\Kahkhh\Obuxwzn.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [dgxdbsy] C:\WINDOWS\System32\dgxdbsy.exe
O4 - HKLM\..\Run: [Service Host]
C:\WINDOWS\System32\Services\{C32211F9-BD6C-4AC4-BF1A-2ED29E2D53BC}\SVCHOST.EXE
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Disk Keeper]
C:\WINDOWS\System32\Services\{C32211F9-BD6C-4AC4-BF1A-2ED29E2D53BC}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service]
C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [fonkqu] C:\WINDOWS\System32\fonkqu.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service]
C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program
Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program
Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC
Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file
missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
(no file)
O15 - Trusted Zone: http://www.neededware.com (http://\"http://www.neededware.com\")
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: Video Poker -
http://download.games.yahoo.com/games/clients/y/vpt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/vpt0_x.cab\")
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Dominoes -
http://download.games.yahoo.com/games/clients/y/dot8_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/dot8_x.cab\")
O16 - DPF: Yahoo! Poker -
http://download.games.yahoo.com/games/clients/y/pt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pt3_x.cab\")
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) -
http://www.errorguard.com/installation/Install.cab (http://\"http://www.errorguard.com/installation/Install.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
- http://files.member.yahoo.com/dl/installs/sbc/yinst.cab (http://\"http://files.member.yahoo.com/dl/installs/sbc/yinst.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
-
Hi Venom, I got your message, but you have to do some cleaning and preventive measures ahead of time
==Download and Install the free version of Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Ensure you have this latest version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet, but make sure it's updated
==Download and Install Spybot S&D 1.4 (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
Don't activate the Tea Timer when installing, it's a great feature but can get in the way of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Again, don't run a scan yet
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Alternate Download link (http://\"http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe\")
We'll need this later
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation
In safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done.
==Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Please restart back into Safe mode
Back in safe mode
==Open Spybot
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer back to Normal mode afterwards
Back in Windows
If your having Desktop background problems, try the next step
If it doesn't help, let me know and we'll try a different procedure to fix your desktop
But carry on with all steps first
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5.Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off the user account and back on afterwards
Please access this link, for now I need you to Install Service Pack 1a to help protect your system, you are vulnerable for reinfection
Don't install Service pack 2 yet, you can do this later
There is a link to the page to Windows updates or a link to download and save the installer to desktop
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx\")
Afterwards
I have links to free Online Virus scanners below
Please do at least one or more online virus scan at either
Panda's
TrendMicro
or
BitDefender
Set to Autoclean when the option is available
Save the Report when the scan is done
You will have to use Internet Explorer to run these scans
Restart your computer afterwards
Back in Windows
Run another scan with Hijackthis and post a fresh log
Also post the report from the Online virus scan(s) you chose to do
Could you also
Download FindQoologic from here:
http://forums.net-integration.net/index.ph...=post&id=134981 (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981\")
UNZIP the contents within to desktop
Open the extracted folder and double click on Find-Qoologic2.bat
Wait for the log and post it back here
NOTE: Do what you can from the above instructions
Let me know what you couldn't do(If anything) After you proceed and finish the next step(s)