Author Topic: Can someone help me remove this !#%!#@% virus (Read 778 times)

JJ 0014 · « **on:** January 02, 2006, 01:17:53 PM »

I clicked on a google search topic three days ago and was immediately informed that my computer was infected with several trojans. I have run CWShredder, Adware, Spybot, and InnoculateIT and I keep getting popups and my internet browser has been hijacked. I am posting my latest HijackThis log.

Please help!

Logfile of HijackThis v1.99.1
Scan saved at 11:17:15 AM, on 1/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Funk Software\Proxy Host\phtray.exe
C:\Program Files\Computer Associates\InoculateIT\realmon.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
C:\Program Files\Microsoft Office\Access2K\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\ncsvc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\atlpp.exe

guestolo · « **Reply #1 on:** January 02, 2006, 02:12:52 PM »

I need to see the whole hijackthis log please
Open the Hijackthis log
Click on EDIT>>Select All to highlight everything
Then Click on EDIT>>Copy

Come back here and paste the whole log in your reply

JJ 0014 · « **Reply #2 on:** January 02, 2006, 07:36:19 PM »

Thanks for taking the time to assist me. Below is the complete Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:17:15 AM, on 1/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Funk Software\Proxy Host\phtray.exe
C:\Program Files\Computer Associates\InoculateIT\realmon.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
C:\Program Files\Microsoft Office\Access2K\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\ncsvc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\atlpp.exe
C:\WINDOWS\system32\sdkid32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Documents and Settings\onyxtech\My Documents\John\system help tools\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {32FD5A16-7B87-D254-57E3-C8A486AA74D6} - C:\WINDOWS\addbr32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nthm32.exe] C:\WINDOWS\system32\nthm32.exe
O4 - HKLM\..\Run: [mfcba.exe] C:\WINDOWS\system32\mfcba.exe
O4 - HKLM\..\Run: [ieqw32.exe] C:\WINDOWS\system32\ieqw32.exe
O4 - HKLM\..\Run: [sdkid32.exe] C:\WINDOWS\system32\sdkid32.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: eFax Live Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GTray.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Novell Login.lnk = C:\WINDOWS\system32\loginw32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://remoteaccess.onyxes.com/dana-cached...oterisSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Virtual Com Port Service (neoNcSvc) - Unknown owner - C:\WINDOWS\System32\ncsvc.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

guestolo · « **Reply #3 on:** January 02, 2006, 08:08:15 PM »

Can you do the following please

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

==Open Ad-Aware Se 1.06 and check for updates
Download if any, but don't run a scan yet

==Create a New folder on your desktop, call it Aboutbuster
(Right click an empty spot on the desktop and select NEW>>FOLDER)
Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip it to that new folder so you now have AboutBuster.exe(and included Readme.rtf) extracted to the Aboutbuster folder
Don't run it yet

Save the rest of these instructions to a Notepad file saved to your desktop or Print them out for use in safe mode

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
If the system restarts back to Normal mode you will have to do it again

==Open the AboutBuster folder and double click on About:Buster.exe
Click the Begin Removal button
Yes to the prompt
Let it finish it's scan, then Exit
Please run About:buster again with the same instructions

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
While Ewido is running, refrain from using the computer, please let it do it's job with no interference

Remain in safe mode
Do a "System scan only" with Hijackthis and put a check next to these entries
Any of the below found

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nanyb.dll/sp.html#28129%resultposition.net
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {32FD5A16-7B87-D254-57E3-C8A486AA74D6} - C:\WINDOWS\addbr32.dll

O4 - HKLM\..\Run: [nthm32.exe] C:\WINDOWS\system32\nthm32.exe
O4 - HKLM\..\Run: [mfcba.exe] C:\WINDOWS\system32\mfcba.exe
O4 - HKLM\..\Run: [ieqw32.exe] C:\WINDOWS\system32\ieqw32.exe
O4 - HKLM\..\Run: [sdkid32.exe] C:\WINDOWS\system32\sdkid32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Ad-Aware SE 1.06
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back into Normal mode

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

I need to see the following please

1. Run a Scan and savelogfile with hijackthis and post a fresh log
2. Post the whole report from Ewido's
3. Post the contents of the "Ab LogFile.txt" located in the same folder as About:Buster.exe
4. Also, open Hijackthis>>Open Misc tools section>>Open Hosts file manager
If prompted to create a hosts file, do so
Click the "Open In Notepad" button
A text file should open, copy and paste this back here too please

JJ 0014 · « **Reply #4 on:** January 03, 2006, 07:57:20 AM »

I followed your instructions and everything looks good. THANKS!!!!

As you requested, below are the logs you wanted to see.
-------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:38:45 AM, on 1/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\ncsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Funk Software\Proxy Host\phtray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Computer Associates\InoculateIT\realmon.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.4\J2GTray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Access2K\Office\1033\msoffice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\onyxtech\My Documents\John\system help tools\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\Computer Associates\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: eFax Live Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GDllCmd.exe
O4 - Startup: eFax Tray Menu 3.4.lnk = C:\Program Files\eFax Messenger 3.4\J2GTray.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Novell Login.lnk = C:\WINDOWS\system32\loginw32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://remoteaccess.onyxes.com/dana-cached...oterisSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\Computer Associates\InoculateIT\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Virtual Com Port Service (neoNcSvc) - Unknown owner - C:\WINDOWS\System32\ncsvc.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

---------------------------------------------------------------------------------------------------------------------------

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         10:59:53 PM, 1/2/2006
+ Report-Checksum:      ADFBE735

+ Scan result:

   C:\Documents and Settings\onyxtech\My Documents\John\system help tools\backups\backup-20041221-114219-614.dll -> Adware.MidADle : Cleaned with backup
   C:\Documents and Settings\onyxtech\My Documents\John\system help tools\backups\backup-20041221-114219-907.dll -> Spyware.PurityScan : Cleaned with backup
   C:\Documents and Settings\onyxtech\My Documents\John\system help tools\backups\backup-20050106-075529-816.dll -> Spyware.PurityScan : Cleaned with backup

::Report End

--------------------------------------------------------------------------------------------------------------------------

AboutBuster 6.0
Scan started on [1/2/2006] at [10:04:33 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\KB826939.log:tinhxh
Removed Stream! C:\WINDOWS\KB837001.log:dkrsuc
Removed Stream! C:\WINDOWS\ModemLog_Standard 33600 bps Modem.txt:hkxixu
Removed Stream! C:\WINDOWS\msmqinst.log:zlpnzw
Removed Stream! C:\WINDOWS\ODBC.INI:dnllqu
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:oooemo
Removed Stream! C:\WINDOWS\Q814033.log:vpspp
Removed Stream! C:\WINDOWS\Q815485.log:urxgux
Removed Stream! C:\WINDOWS\Q819696.log:msilwi
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:aqbzt
Removed Stream! C:\WINDOWS\setupact.log:jtrfcg
Removed Stream! C:\WINDOWS\setuperr.log:btjleq
Removed Stream! C:\WINDOWS\stub16.ini:tmqidr
Removed Stream! C:\WINDOWS\stub22.ini:eottae
Removed Stream! C:\WINDOWS\stub29.ini:xxjqwt
Removed Stream! C:\WINDOWS\stub31.ini:pycdzw
-------------------------------------------------------------
Removed File! : C:\WINDOWS\addbr32.dll
Removed File! : C:\WINDOWS\atlpp.exe
Removed File! : C:\WINDOWS\javagx32.exe
Removed File! : C:\WINDOWS\javatd32.exe
Removed File! : C:\WINDOWS\nanyb.dll
Removed File! : C:\WINDOWS\ntay.exe
Removed File! : C:\WINDOWS\rvwrz.log
Removed File! : C:\WINDOWS\sysnj32.exe
Removed File! : C:\WINDOWS\winad.exe
Removed File! : C:\WINDOWS\System32\cozjv.log
Removed File! : C:\WINDOWS\System32\huemx.dat
Removed File! : C:\WINDOWS\System32\sdkch.exe
Removed File! : C:\WINDOWS\System32\sdkid32.exe
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:07:24 PM

AboutBuster 6.0
Scan started on [1/2/2006] at [10:08:23 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:08:27 PM

---------------------------------------------------------------------------------------------------------------------------

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

guestolo · « **Reply #5 on:** January 03, 2006, 11:27:28 PM »

Can you make sure your Virus scanner(eTrust) is right up to date
and run a complete scan please
Let it fix what it finds
If anything is found in the System Volume Information folder
Don't worry about it as we'll fix it on the next step

Final cleanup
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.5.1 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

TheTechGuide Forum

News:

Author Topic: Can someone help me remove this !#%!#@% virus (Read 778 times)

JJ 0014

Can someone help me remove this !#%!#@% virus

guestolo

Can someone help me remove this !#%!#@% virus

JJ 0014

Can someone help me remove this !#%!#@% virus

guestolo

Can someone help me remove this !#%!#@% virus

JJ 0014

Can someone help me remove this !#%!#@% virus

guestolo

Can someone help me remove this !#%!#@% virus