Author Topic: help plz (Read 1152 times)

kotaz · « **on:** February 01, 2005, 02:27:42 PM »

ok here the problem when i start up my pc i get spamed by my antivirus saying i have like a million viruses. after that i go a system scan and it come up with no viruses. also when im on my pc my antiviruse (nortans internet securty 2004) keep telling me that a email had failed to send plz help.
Logfile of HijackThis v1.99.0
Scan saved at 19:20:56, on 01/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\OPScan.exe
C:\Program Files\WinMX\WinMX.exe
C:\Documents and Settings\Shield\Desktop\Adware removal stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: winupdate78307018[1].exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104698366484
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/fi...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O21 - SSODL: NTWSMON - {DE97A10F-267E-4C70-B459-10F40833756E} - C:\WINDOWS\System32\perfrmsg.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #1 on:** February 01, 2005, 03:06:34 PM »

Can you do me a favor
Set Windows to show hidden files and folders
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Put a checkmark in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
# Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
# Remove the checkmark from the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

Can you go to this link
http://virusscan.jotti.org/
Give it time to load if it's busy

Use the BROWSE button at the top and Navigate to this file
C:\Documents and Settings\Shield\Start Menu\Programs\Startup\winupdate78307018[1].exe

or it may be under C:\Documents and Settings\All users

Right click on the file and choose Select
Back at the site choose SUBMIT
Wait for the Scan Results and copy and paste them back here, thanks

Kotaz · « **Reply #2 on:** February 03, 2005, 06:12:43 PM »

hi well wheres the problem i cant find the file that you have asked?
also my internet has been shutting it slef down resently i belive it has somthing to with tmpf02.exe. this program trys to acess the internet but my internet securty tells me to block it so i do, as soon as i do that my internet says page cannot be displayed do you know why this is happing?

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Guest · « **Reply #3 on:** February 03, 2005, 06:15:15 PM »

also i get a webpage open up to http://www.klikfeed.com/search.php?aff=821&q=spyware when i connect if its any help

guestolo · « **Reply #4 on:** February 03, 2005, 06:49:51 PM »

NEXT:Can you download and save Rkfiles.zip to your desktop
IMPORTANT>>Create a new folder and UNZIP the contents to that new folder

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

IMPORTANT>>>Restart your computer into SAFE MODE

You must be in safe mode with Windows set to show hidden files and folders
In safe mode
Open that new folder you created for Rkfiles.zip
Double click on rkfiles.bat to run it.
Sit back and WAIT until the dos Window closes

Restart back to Normal mode

Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply back here

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

IMPORTANT>>>rkfiles.bat should of created a new .txt file
C:\log.txt
IMPORTANT>>Copy and paste back the contents of log.txt

Also post back a fresh hijackthis log

Kotaz · « **Reply #5 on:** February 05, 2005, 09:40:06 AM »

ok here what you wanted
heres the log
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\akrbaaaa.exe: UPX!
C:\WINDOWS\system32\alirinmf.exe: UPX!
C:\WINDOWS\system32\apnaaaaa.exe: UPX!
C:\WINDOWS\system32\dduekaaa.exe: UPX!
C:\WINDOWS\system32\fmod.dll: UPX!
C:\WINDOWS\system32\gosbbhlx.exe: UPX!
C:\WINDOWS\system32\gvfpdbgm.exe: UPX!
C:\WINDOWS\system32\mmxfyaaa.exe: UPX!
C:\WINDOWS\system32\ntnut.exe: UPX!
C:\WINDOWS\system32\sbvwuaaa.exe: UPX!
C:\WINDOWS\system32\vkjgbsil.exe: UPX!
C:\WINDOWS\system32\cz.dll: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2
C:\WINDOWS\MEMORY.DMP: PEC2
C:\WINDOWS\MEMORY.DMP: 1Q;s=PEc2F9
C:\WINDOWS\MEMORY.DMP: tPEC2
C:\WINDOWS\MEMORY.DMP: tempContentSpec2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\choice.exe: UPX!
C:\WINDOWS\MEMORY.DMP: UPX!
C:\WINDOWS\MEMORY.DMP: UPX!-
C:\WINDOWS\MEMORY.DMP: efsg!>!#ztuf#
C:\WINDOWS\MEMORY.DMP: FSG!-
Finished
bye

heres escan
File C:\WINDOWS\System32\tmpf00.exe infected by "Trojan-Dropper.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\perfrmsg.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\VDMT16.SYS infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\akrbaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\alirinmf.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\apnaaaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dduekaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dload.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gfldripv.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gosbbhlx.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gvfpdbgm.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hz.dll infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mmxfyaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ntnut.exe infected by "Trojan.Win32.Favadd.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sbvwuaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tmpf00.exe infected by "Trojan-Dropper.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\unregister.exe infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vkjgbsil.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Shield\LOCALS~1\Temp\tmp2.tmp infected by "Trojan-Downloader.Win32.Murlo.b" Virus. Action Taken: No Action Taken.

and hijackthis
Logfile of HijackThis v1.99.0
Scan saved at 14:36:50, on 05/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\Shield\Desktop\Adware removal stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104698366484
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/fi...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O21 - SSODL: NTWSMON - {DE97A10F-267E-4C70-B459-10F40833756E} - C:\WINDOWS\System32\perfrmsg.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

also when i open my pc my antiviruse gets rid of the same virse every time tmpf02.exe

guestolo · « **Reply #6 on:** February 06, 2005, 05:20:43 AM »

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Download Pocket Killbox
UNZIP the files to the folder of your choice.

Download and Install this small program
to help clean your temp folders,cookies,prefetch,etc...
Windows Cleanup
Install it for now but don't run a scan yet
Hold onto this

I've uploaded a zip file called "fixhx.zip"
It's at the bottom of this reply box
Save this to your desktop and UNZIP the contents to your desktop
We'll need this later

Save these next instructions to a Notepad file on your desktop for easy access
Disconnect from the Net>>Close all unnecessary windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!

O21 - SSODL: NTWSMON - {DE97A10F-267E-4C70-B459-10F40833756E} - C:\WINDOWS\System32\perfrmsg.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

With only the Notepad file open for reference

Double-click on Killbox.exe to run it
Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
For any .dll file, additionally put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\System32\tmpf00.exe

C:\WINDOWS\System32\tmpf01.exe

C:\WINDOWS\System32\tmpf02.exe

C:\WINDOWS\system32\mszx23.exe

C:\WINDOWS\system32\akrbaaaa.exe

C:\WINDOWS\system32\alirinmf.exe

C:\WINDOWS\system32\apnaaaaa.exe

C:\WINDOWS\system32\dduekaaa.exe

C:\WINDOWS\system32\gosbbhlx.exe

C:\WINDOWS\System32\tibs3.exe

C:\WINDOWS\system32\gvfpdbgm.exe

C:\WINDOWS\system32\mmxfyaaa.exe

C:\WINDOWS\System32\vkjgbsil.exe

C:\WINDOWS\System32\unregister.exe

C:\WINDOWS\system32\ntnut.exe

C:\WINDOWS\system32\sbvwuaaa.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winupdate78307018[1].exe

C:\WINDOWS\SYSTEM32\VDMT16.SYS

C:\DOCUME~1\Shield\LOCALS~1\Temp\tmp2.tmp

C:\WINDOWS\System32\dload.exe

C:\WINDOWS\System32\gfldripv.exe

C:\WINDOWS\System32\hz.dll

C:\WINDOWS\System32\perfrmsg.dll

C:\WINDOWS\system32\cz.dll

C:\WINDOWS\system32\fmod.dll

When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot

Please Restart the computer into Safe mode at this time
You can enter safe mode by tapping the F8 key on the keyboard as the computer is booting up

Look for any of these files and delete them if they exist
I may be repeating a few, but looks anyways

C:\WINDOWS\system32\mszx23.exe
C:\WINDOWS\system32\Tibs3.exe
C:\WINDOWS\system32\drct16.dll
C:\WINDOWS\system32\cz.dll
C:\WINDOWS\system32\vdmt16.sys
C:\WINDOWS\system32\hz.dll
C:\WINDOWS\system32\winlow.sys
C:\WINDOWS\system32\wz.dll
C:\WINDOWS\system32\p2.ini
C:\WINDOWS\system32\es.
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\z.
C:\WINDOWS\system32\—I0¢+opes.
C:\WINDOWS\system32\slowIsys.
C:\WINDOWS\system32\zININEwz.
C:\WINDOWS\system32\2Ioso.
C:\WINDOWS\system32\3d.
C:\WINDOWS\system32\|msz.
C:\WINDOWS\system32\cm.dll
C:\WINDOWS\system32\draw32.dll
C:\WINDOWS\system32\hm.sys
C:\WINDOWS\system32\memlow.sys
C:\WINDOWS\system32\vdnt32.sys
C:\WINDOWS\system32\wd.sys

C:\WINDOWS\system32\w32tm.exe <--careful, there is a legitimate file with this name, it will look like this W32TM.exe
Right click on it and select properties
If it's related too
Windows Time Service Diagnostic Tool
Leave it alone

Double click on fixhx.exe you saved earlier to desktop and allow it to merge to the registry

Open Windows CleanUp---START>>All programs>>Cleanup
and click on the CleanUp button
Let it finish scanning for files>>At the prompt to log off
Restart your computer back to Normal mode

Again double click on fixhx.exe and allow to merge

Go to START>>>Run>>type in REGEDIT
Hit OK
Navigate to this key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

Left click and Highlight List
Right click on it and EXPORT it
Name it and Save it to a convenient location
Exit the Registry

Navigate to where you saved the Export
Right click on it and choose EDIT
Copy and paste back here the whole contents

Do you see any more files that look similiar to this in your System32 folder
C:\WINDOWS\System32\tmpf00.exe

Delete your copy of Mwav from eScan and redownload it from the link I supplied earlier
Do another scan and post the log from it

Also post back a fresh hijackthis log

[attachment=8:attachment]

Kotaz · « **Reply #7 on:** February 06, 2005, 09:00:04 AM »

ok first heres the problem I could not get rid of C:\WINDOWS\system32\es. And C:\WINDOWS\system32\drct16.dll because there where in use also I could not merge that file it said “the specified file is not a registry script you can only import binaty registry files from within the registry editor” so I could also not export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
but heres the escan and hjt file also the C:\WINDOWS\System32\tmpf00.exe keeps coming back

escan
File C:\WINDOWS\System32\tmpf00.exe infected by "Trojan-Dropper.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\WAIZ infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ddmpjpoe.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dload.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\jcuenaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\siptjaaa.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vyhmwdcq.exe infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ùÏ0ó†opes infected by "Backdoor.Win32.Haxdoor.bh" Virus. Action Taken: No Action Taken.

Hjt file:
Logfile of HijackThis v1.99.0
Scan saved at 13:54:35, on 06/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shield\Desktop\Adware removal stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104698366484
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/fi...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

guestolo · « **Reply #8 on:** February 06, 2005, 03:50:32 PM »

Disable Microsofts anti-Spyware real time protections as it might be getting in the way of any fixes

Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe
Double click and run the installer

Exit out of it after installed

Use this link to ensure you know what entries to remove in the registry
http://securityresponse.symantec.com/avcen....haxdoor.d.html
under the heading
To delete the value from the registry

Double-click on Killbox.exe to run it
Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\System32\tmpf00.exe

C:\WINDOWS\System32\tmpf01.exe

C:\WINDOWS\System32\tmpf02.exe

C:\WINDOWS\SYSTEM32\WAIZ

C:\WINDOWS\System32\ddmpjpoe.exe

C:\WINDOWS\System32\dload.exe

C:\WINDOWS\System32\jcuenaaa.exe

C:\WINDOWS\System32\siptjaaa.exe

C:\WINDOWS\System32\vyhmwdcq.exe

C:\WINDOWS\System32\ùÏ0ó†opes

When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot

Please Restart the computer into Safe mode at this time
Sign into the an account with Administrative privleges

Use Registrar lite
Anything you have problems with removing or editing
Use the Security tab at the top and Take Ownership

Also navigate again to this one
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

Highlight and Right click on List
Try and export it, if not let me know what you see on the right hand side

TheTechGuide Forum

News:

Author Topic: help plz (Read 1152 times)

kotaz

help plz

guestolo

help plz

Kotaz

help plz

Guest

help plz

guestolo

help plz

Kotaz

help plz

guestolo

help plz

Kotaz

help plz

guestolo

help plz