« previous next »
Pages: [1]

Author Topic: Alcan virus  (Read 1421 times)

Offline Stiggerman

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Alcan virus
« on: April 24, 2006, 09:45:12 PM »
I believe that my computer was infected with the Alcan worm recently.  I ran various virus detection software and the situation improved.  I can now open the task manager and use ctrl+alt+del.  However, I am still getting a lot of pop-ups.  I ran the hijack this scan.  I am an admitted computer novice, but I think that I may have a few suspect files.  Could someone provide some advice on which files should be fixed or removed?  Any help would be greatly appreciated.

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 10:41:47 PM, on 4/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\pop06ap2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\?ttrib.exe
C:\DOCUME~1\Brian\MYDOCU~1\ECURIT~1\chkntfs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\unzipped\bfu\HJK.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [t38Q34O] pngadmin.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [wincin] C:\DOCUME~1\Brian\LOCALS~1\Temp\w181609.Stub.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] ""C:\Program Files\Microsoft Money\System\Money Express.exe""
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NSAgent] C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe
O4 - HKCU\..\Run: [iuengine] C:\WINDOWS\System32\iuengine.exe
O4 - HKCU\..\Run: [c0r4RQime] asfdcmsg.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [Ycikw] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Brian\MYDOCU~1\ECURIT~1\chkntfs.exe" -vt yazr
O4 - HKCU\..\Run: [persys] C:\WINDOWS\System32\persys.exe
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\Brian\Local Settings\Temp\{6AEA261E-07E2-4F3A-AF83-869F9FB60E9C}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.ameritrade.com
O15 - Trusted Zone: *.ameritrade.com
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O15 - Trusted IP range: 198.200.173.74
O15 - Trusted IP range: 198.200.173.139
O15 - Trusted IP range: 204.58.27.33
O15 - Trusted IP range: 204.58.27.41
O15 - Trusted IP range: 204.58.27.49
O15 - Trusted IP range: 204.58.27.57
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121305959250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121307215421
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://secure.photofinale.com/ImageUploade...geUploader3.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O20 - AppInit_DLLs: iniwin32.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\fpl6033se.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iaspolcy - Unknown owner - C:\WINDOWS\System32\iaspolcy.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ssdwbdr.exe (file missing)
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Alcan virus
« Reply #1 on: April 24, 2006, 09:49:26 PM »
Can you do the following please
Open Hijackthis>>Open the "Misc tools section"
Open the "Uninstall Manager"
Click the SAVE LIST button
Save the list too your desktop then come back here and copy and paste back the whole contents please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Stiggerman

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Alcan virus
« Reply #2 on: April 25, 2006, 08:30:52 PM »
Here are the contents of the "Uninstall Manager" list.

Thank you.


3D Groove Playback Engine
3D Home Architect® Deluxe 3.0
Ad-Aware SE Personal
Adobe Acrobat 5.0
aspi
AVG Free Edition
Backup  Dell-Installed Programs
Backyard Baseball 2003
Backyard Baseball 2005
Backyard Basketball
Backyard Football 2002
Backyard Skateboarding
CCHelp
CCScore
Charter Pipeline® Self-Installation
CleanUp!
Conexant HCF V90 56K Data Fax PCI Modem
CR2
Cruise Ship Tycoon
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
DirectX 9 Hotfix - KB839643
Disney Countdown
Disneys Magic Artist Studio Demo
Disney's Toontown Online
Display Utility
EACOM Game Installer
Easy CD Creator 5 Basic
elitemediagroup
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSTUTOR
ESSvpaht
ESSvpot
Finding Nemo Screen Saver
Harry Potter
Harry Potter II
HijackThis 1.99.1
HLPCCTR
HLPIndex
HLPPDOCK
hp deskjet 940c series (Remove only)
InterActual Player
Internet Explorer Q903235
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Kodak EasyShare software
KSU
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft AntiSpyware
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office PowerPoint Viewer 2003
Microsoft Picture It! Express 7.0
Microsoft Picture It! Photo 2002
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla Firefox (1.5)
My Web Search (Outlook, Outlook Express, and IncrediMail)
Norton AntiVirus 2002
Notifier
NVIDIA Windows 2000/XP Display Drivers
OTtBP
PCDLNCH
PhoneTools
PowerDVD
QuickTime
RealPlayer
RollerCoaster Tycoon 2 Triple Thrill Pack
RollerCoaster Tycoon® 3
Search Assistant - My Web Search
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SFR
SFR2
Shockwave
Skype 1.4
TaxCut 2001
The Print Shop Deluxe III
TP Preview Exclusive Etherium Rescue
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VCAMCEN
WebIQ Client Software
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows Overlay Components
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinZip
Yahoo! Toolbar
Yazzle Sudoku by OIN
Zoo Tycoon: Complete Collection
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Alcan virus
« Reply #3 on: April 25, 2006, 08:55:15 PM »
Can you do the following please

Access your add/remove programs and remove the following

elitemediagroup
Search Assistant - My Web Search
Windows Overlay Components

Reboot your computer afterwards

Back in Windows

Download and Install Spybot 1.4 from
HERE
 or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process

Come back here and post a fresh hijackthis log please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Stiggerman

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Alcan virus
« Reply #4 on: April 26, 2006, 10:11:54 PM »
I was able to remove elitemediagroup.
When I tried to remove Search Assistant - My Web Search, a new window opened that was entirely white.  The title bar of the window read res://c:\Progra~\Mywebs~1\SrchAstt\1.bin\mwssrcas.dll/101.  I could not remove the program.
When I tried to remove Window Overlay Components, an error box popped up.  The title read Uninstaller Error and the message read An error occurred while trying to remove Windows Overlay Components.  It may have already been uninstalled.  Would you like to remove Windows Overlay Components from the Add or Remove programs list?  I couldn't close the box, so I answered no.
I rebooted.
I installed Spybot 1.4, updated it, ran the scan, and fixed the problems.
I restarted the computer.  Spybot did another scan, and I fixed the problems.

Here is the new Hijack this log.

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 11:06:10 PM, on 4/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\pop06ap2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\?ttrib.exe
C:\DOCUME~1\Brian\MYDOCU~1\ECURIT~1\chkntfs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Documents and Settings\Brian\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [t38Q34O] pngadmin.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MoneyAgent] ""C:\Program Files\Microsoft Money\System\Money Express.exe""
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NSAgent] C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe
O4 - HKCU\..\Run: [iuengine] C:\WINDOWS\System32\iuengine.exe
O4 - HKCU\..\Run: [c0r4RQime] asfdcmsg.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [Ycikw] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Brian\MYDOCU~1\ECURIT~1\chkntfs.exe" -vt yazr
O4 - HKCU\..\Run: [persys] C:\WINDOWS\System32\persys.exe
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\Brian\Local Settings\Temp\{6AEA261E-07E2-4F3A-AF83-869F9FB60E9C}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.ameritrade.com
O15 - Trusted Zone: *.ameritrade.com
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O15 - Trusted IP range: 198.200.173.74
O15 - Trusted IP range: 198.200.173.139
O15 - Trusted IP range: 204.58.27.33
O15 - Trusted IP range: 204.58.27.41
O15 - Trusted IP range: 204.58.27.49
O15 - Trusted IP range: 204.58.27.57
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121305959250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121307215421
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://secure.photofinale.com/ImageUploade...geUploader3.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O20 - AppInit_DLLs: iniwin32.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\fpl6033se.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iaspolcy - Unknown owner - C:\WINDOWS\System32\iaspolcy.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Alcan virus
« Reply #5 on: April 26, 2006, 10:25:19 PM »
Can you do the following please
We're going to do this in steps to get your computer completely clean

First, can you do the following
You may not need this, but you have it just in case!
Download and save to your desktop
Winsockfix XP
Don't run this yet, it's there if needed

Please Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Keep this disabled until we know you are clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

NEXT:
Download the latest version of Look2Me-Remover.exe by Atribune
and save it to your desktop

* Close all windows before continuing.
      * Double-click Look2Me-Remover.exe to run it.
      * Put a check next to Run this program as a task.
      * You will receive a message saying Look2Me-Remover will close and re-open in 1 minute. Click OK
      * When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
      * Once it's done scanning, click the Remove L2M button.
      * You will receive a Done Scanning message, click OK.
      * When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
      * Your computer will then shutdown.
      * After it has completed the shutdown>>Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Back in Windows
Access the following link
http://www.newdotnet.com/removal.html

Read Procedure 4
Save the uninstaller to your desktop as you have internet connection
Close all windows and run the uninstaller
Reboot the computer afterwards

Come back here and post the following
1. Post a fresh Hijackthis log
2. Post the report from Look2Me-Destroyer

NOTE: ONLY if you do have problems with Internet connection afterwards
Then you will want to run the Fix from Winsockfix XP
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Stiggerman

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Alcan virus
« Reply #6 on: April 27, 2006, 09:38:42 PM »
I completed all of the directions.  I did not have any problems or error messages.  My internet connection seems fine.

Here is the Hijaackthis log and the Look2Me-Destroyer report.

Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 10:29:17 PM, on 4/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\pop06ap2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\windows\system32\pldsregq.exe
C:\WINDOWS\System32\?ttrib.exe
C:\DOCUME~1\Brian\MYDOCU~1\ECURIT~1\chkntfs.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\twinmqaf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsz7.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmsuly.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [t38Q34O] pngadmin.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\twinmqaf.exe FI002
O4 - HKLM\..\Run: [{77-78-8E-EF-ZN}] C:\windows\system32\pldsregq.exe FI002
O4 - HKCU\..\Run: [MoneyAgent] ""C:\Program Files\Microsoft Money\System\Money Express.exe""
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NSAgent] C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe
O4 - HKCU\..\Run: [iuengine] C:\WINDOWS\System32\iuengine.exe
O4 - HKCU\..\Run: [c0r4RQime] asfdcmsg.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [Ycikw] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Brian\MYDOCU~1\ECURIT~1\chkntfs.exe" -vt yazr
O4 - HKCU\..\Run: [persys] C:\WINDOWS\System32\persys.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\Brian\Local Settings\Temp\{6AEA261E-07E2-4F3A-AF83-869F9FB60E9C}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\twinmqaf.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.ameritrade.com
O15 - Trusted Zone: *.ameritrade.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted IP range: 198.200.173.74
O15 - Trusted IP range: 198.200.173.139
O15 - Trusted IP range: 204.58.27.33
O15 - Trusted IP range: 204.58.27.41
O15 - Trusted IP range: 204.58.27.49
O15 - Trusted IP range: 204.58.27.57
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121305959250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121307215421
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://secure.photofinale.com/ImageUploade...geUploader3.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O20 - AppInit_DLLs: iniwin32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iaspolcy - Unknown owner - C:\WINDOWS\System32\iaspolcy.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE










Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/27/2006 10:12:13 PM

Infected! C:\WINDOWS\system32\fpl6033se.dll
Infected! C:\WINDOWS\SYSTEM32\ktr6l79s1.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\SYSTEM32\ktr6l79s1.dll
C:\WINDOWS\SYSTEM32\ktr6l79s1.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7DDEA16C-5CE3-4B43-9946-EC1EA5F37DA0}"
HKCR\Clsid\{7DDEA16C-5CE3-4B43-9946-EC1EA5F37DA0}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Alcan virus
« Reply #7 on: April 27, 2006, 10:07:44 PM »
Next steps:
Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot  and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU

Please download Brute Force Uninstaller
Reminder, choose SAVE rather than OPEN
Then Extract (UNZIP) the contents to the (C:\BFU) folder you just made
So you now have C:\Bfu\bfu.exe

[color=\"#CC0000\"]RIGHT CLICK HERE[/color]
 and choose "Save As" (in IE it's "Save Target As") in order to download  [color=\"#3333FF\"]Alcanshorty.bfu[/color].
Save it in the folder you made earlier (c:\BFU)
So you now have C:\Bfu\alcanshorty.bfu

==Download and install Windows CleanUp! 4.5.1

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck
 "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can take a look at the following link to help with
the updating
http://www.ewido.net/en/support/?AID=26

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu
In safe mode

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer

=Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to alcanshorty.bfu in the C:\BFU folder
Right click alcanshorty.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

==Open Ewido Anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted

Do a "System scan only" with Hijackthis and put a check next to these entries:
Not all may be found, but check what you see below

R3 - Default URLSearchHook is missing
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsz7.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmsuly.dll

O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [t38Q34O] pngadmin.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe

O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\twinmqaf.exe FI002
O4 - HKLM\..\Run: [{77-78-8E-EF-ZN}] C:\windows\system32\pldsregq.exe FI002

O4 - HKCU\..\Run: [NSAgent] C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe
O4 - HKCU\..\Run: [iuengine] C:\WINDOWS\System32\iuengine.exe
O4 - HKCU\..\Run: [c0r4RQime] asfdcmsg.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [Ycikw] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Brian\MYDOCU~1\ECURIT~1\chkntfs.exe" -vt yazr
O4 - HKCU\..\Run: [persys] C:\WINDOWS\System32\persys.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\Brian\Local Settings\Temp\{6AEA261E-07E2-4F3A-AF83-869F9FB60E9C}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\twinmqaf.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe

O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://secure.photofinale.com/ImageUploade...geUploader3.cab
O20 - AppInit_DLLs: iniwin32.dll

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Post back the following please
1. Post back a fresh hijackthis log
2. Post the whole report from Ewido's you saved earlier
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Stiggerman

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Alcan virus
« Reply #8 on: April 29, 2006, 08:44:02 PM »
I followed all of the directions.  The Brute Force Uninstaller stopped at 88% complete, and then the program closed.  Here are the 2 new logs.

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 9:38:29 PM, on 4/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Brian\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] ""C:\Program Files\Microsoft Money\System\Money Express.exe""
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NSAgent] C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.ameritrade.com
O15 - Trusted Zone: *.ameritrade.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted IP range: 198.200.173.74
O15 - Trusted IP range: 198.200.173.139
O15 - Trusted IP range: 204.58.27.33
O15 - Trusted IP range: 204.58.27.41
O15 - Trusted IP range: 204.58.27.49
O15 - Trusted IP range: 204.58.27.57
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121305959250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121307215421
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O20 - AppInit_DLLs: iniwin32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iaspolcy - Unknown owner - C:\WINDOWS\System32\iaspolcy.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE






---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         11:55:53 AM, 4/29/2006
 + Report-Checksum:      D5A11EC5

 + Scan result:

   HKLM\SOFTWARE\Classes\BHO.Adware -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Classes\BHO.Adware\CLSID -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Classes\BHO.Adware\CurVer -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Classes\BHO.Adware.1 -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Classes\BHO.Hider -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Classes\BHO.Hider\CLSID -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Classes\BHO.Hider\CurVer -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Classes\BHO.Hider.1 -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
   HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Cleaned with backup
   HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Cleaned with backup
   HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Cleaned with backup
   HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Cleaned with backup
   HKLM\SOFTWARE\ClickSpring -> Adware.PurityScan : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Netstat -> Adware.Ezula : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} -> Adware.Generic : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Adware.Delfin : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Adware.MediaMotor : Cleaned with backup
   C:\Documents and Settings\Brian\Desktop\NNuninstall.exe -> Adware.NewDotNet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\price_08.zip/price.html -> Dropper.RunMe : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\price_08.zip/price/price.exe -> Worm.Bagle.al : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\screensaversinstaller.exe/CSSecure.dll -> Adware.Comet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\screensaversinstaller.exe/dmproxy.dll -> Adware.Comet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\screensaversinstaller.exe/dmserver.exe -> Adware.Comet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\screensaversinstaller.exe/DMUpdate.exe -> Adware.Comet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\screensaversinstaller.exe/CSSecure.dll -> Adware.Comet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\screensaversinstaller.exe/dmproxy.dll -> Adware.Comet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\screensaversinstaller.exe/dmserver.exe -> Adware.Comet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\Jenn's Downloads\screensaversinstaller.exe/DMUpdate.exe -> Adware.Comet : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\price_08.zip/price.html -> Dropper.RunMe : Cleaned with backup
   C:\Documents and Settings\Brian\My Documents\price_08.zip/price/price.exe -> Worm.Bagle.al : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\0437A465-1DC0-4815-9E5F-568F57\EECE421A-7CC9-46F5-B951-CBB25A -> Adware.Mirar : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\0437A465-1DC0-4815-9E5F-568F57\F29AE417-7919-4A35-A910-A24466 -> Adware.Mirar : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\A74D6733-2782-44FD-B1BF-C4590C\0B3B15D9-3873-4470-B4A5-35638E -> Adware.NewDotNet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\A74D6733-2782-44FD-B1BF-C4590C\89019EAD-CD0D-4D40-BFF0-493798 -> Adware.NewDotNet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\A74D6733-2782-44FD-B1BF-C4590C\8EA25652-024B-451E-96F8-FDE847 -> Adware.NewDotNet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\A74D6733-2782-44FD-B1BF-C4590C\E1FDAB12-CD5C-49E7-BA0A-92A448 -> Adware.NewDotNet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\A74D6733-2782-44FD-B1BF-C4590C\F4F968D8-CEF3-4062-8C49-58F066 -> Adware.NewDotNet : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\E05288CE-E7B9-462D-B877-7F4B72\9C0F0F4F-5736-4691-A3B8-9D1046 -> Adware.E2Give : Cleaned with backup
   C:\unzipped\price_08\price.html -> Dropper.RunMe : Cleaned with backup
   C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\elite.ocx -> Adware.MediaMotor : Cleaned with backup
   C:\WINDOWS\SYSTEM32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup
   C:\WINDOWS\SYSTEM32\irsmsuly.dll -> Adware.SafeSurfing : Cleaned with backup
   C:\WINDOWS\SYSTEM32\irssyncd.exe -> Adware.SafeSurfing : Cleaned with backup
   C:\WINDOWS\SYSTEM32\nsz7.dll -> Adware.EZula : Cleaned with backup
   C:\WINDOWS\SYSTEM32\repairs302972940.dll -> Adware.SurfSide : Cleaned with backup
   C:\WINDOWS\SYSTEM32\WinATS.dll -> Adware.Mirar : Cleaned with backup
   C:\WINDOWS\SYSTEM32\аttrib.exe -> Adware.PurityScan : Cleaned with backup
   C:\WINDOWS\unstall.exe -> Adware.Zango : Cleaned with backup
   C:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Alcan virus
« Reply #9 on: April 30, 2006, 12:47:06 AM »
You have both Norton's AV and AVG installed
Having more than one AV running in the background can cause conflicts and decrease performance
I suggest that you uninstall one of them
Since you appear to be running an older version of Norton's
I would hold onto to AVG and then access your add/remove programs and remove Norton 2002
If you have problems with the removal
Use this link to completely remove it
Norton Support

After it is removed and you have rebooted the computer

Back in Windows
==Download DelDomains.inf from HERE
Save it to your desktop
Don't run it yet
If using a browser such as Firefox, Right click on that link and choose "Save link as.."

==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file in your root folder>>Local disk C:
So you now have C:\fix.reg <--this is important
Ensure to copy from REGEDIT4 and down in the code box

 
Code: [Select]
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NSAgent"=-

[-HKEY_CURRENT_USER\SOFTWARE\PTech]

[-HKEY_CLASSES_ROOT\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]

[-HKEY_CLASSES_ROOT\AppID\IeBHOs.DLL]

[-HKEY_CLASSES_ROOT\IeBHOs.Control.1]

[-HKEY_CLASSES_ROOT\IeBHOs.Control]

[-HKEY_CLASSES_ROOT\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]

[-HKEY_CLASSES_ROOT\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]

[-HKEY_CLASSES_ROOT\CLSID\{4A5B0528-1EE4-4871-8546-AB34DF31E861}]

[-HKEY_CLASSES_ROOT\CLSID\{4A5B0D43-13BE-4B7C-820E-660CED71CDBF}]

[-HKEY_CLASSES_ROOT\CLSID\{4A5B482D-E087-43C9-8FD6-0F36510CF2B9}]

[-HKEY_CLASSES_ROOT\CLSID\{4A5ADB4F-48EE-4840-8DAB-166A239F7E86}]

[-HKEY_LOCAL_MACHINE\Software\E2G]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g plugin]

[-HKEY_LOCAL_MACHINE\Software\Classes\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]

[-HKEY_LOCAL_MACHINE\Software\Classes\AppID\IeBHOs.DLL]

[-HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]

Please download The Avenger.zip by Swandog46 to your Desktop.

    * Click on Avenger.zip to open the file
    * Extract avenger.exe to your desktop

Please Print the rest of these instructions so you can follow along easily without opening any browsers after the computer has rebooted

Copy all the text contained in the qoute box below  to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard


Quote
files to delete:
C:\WINDOWS\system32\iniwin32.dll
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe

folders to delete:
C:\Program Files\E2G

Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

programs to launch on reboot:
C:\fix.reg
C:\Documents and Settings\Brian\Desktop\hijackthis.exe
Now, start The Avenger program by clicking on its icon on your desktop

    * Under "Script file to execute" choose "Input Script Manually".
    * Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    * Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    * Click Done
    * Now click on the Green Light to begin execution of the script
    * Answer "Yes" twice when prompted.

Avenger should now Reboot your computer
Back in Windows

Your Icons and taskbar won't appear at first, don't be alarmed
and startup may be a bit slower
I've scripted Avenger to run C:\fix.reg and Hijackthis on startup
Not necessarily in that order
At the add/merge prompt to the registry with C:\fix.reg>>>OK it

With Hijackthis
Do a "System scan only" with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O23 - Service: iaspolcy - Unknown owner - C:\WINDOWS\System32\iaspolcy.exe (file missing)


After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Your Icons and taskbar will now appear
Don't open any windows yet
Instead
==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Reboot your computer again

Back in Windows
1. Post a fresh Hijackthis log
2. Post the whole log created by Avenger>>C:\avenger.txt

Could you also do the following
Go to either of these links
http://virusscan.jotti.org/
or
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\System32\iaspolcy.exe<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Stiggerman

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Alcan virus
« Reply #10 on: April 30, 2006, 06:02:35 AM »
I completed the directions.  I posted the fresh Hijackthis log.  I couldn't find the avenger log.  

I couldn't find a file iaspolcy.exe, but I could find iaspolcy.dll and I scanned this file.

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 6:49:15 AM, on 4/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Brian\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MoneyAgent] ""C:\Program Files\Microsoft Money\System\Money Express.exe""
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121305959250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121307215421
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE




Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006  no virus found
Avast 4.6.695.0 04.28.2006  no virus found
AVG 386 04.28.2006  no virus found
Avira 6.34.1.58 04.29.2006  no virus found
BitDefender 7.2 04.30.2006  no virus found
CAT-QuickHeal 8.00 04.29.2006  no virus found
ClamAV devel-20060202 04.30.2006  no virus found
DrWeb 4.33 04.30.2006  no virus found
eTrust-InoculateIT 23.71.142 04.29.2006  no virus found
eTrust-Vet 12.4.2184 04.28.2006  no virus found
Ewido 3.5 04.30.2006  no virus found
Fortinet 2.71.0.0 04.30.2006  no virus found
F-Prot 3.16c 04.30.2006  no virus found
Ikarus 0.2.59.0 04.29.2006 P2P-Worm.Win32.Polipos.a
Kaspersky 4.0.2.24 04.30.2006  no virus found
McAfee 4751 04.28.2006  no virus found
Microsoft 1.1372 04.30.2006  no virus found
NOD32v2 1.1513 04.29.2006  no virus found
Norman 5.90.17 04.28.2006  no virus found
Panda 9.0.0.4 04.29.2006  no virus found
Sophos 4.05.0 04.29.2006  no virus found
Symantec 8.0 04.30.2006  no virus found
TheHacker 5.9.7.136 04.29.2006  no virus found
UNA 1.83 04.28.2006  no virus found
VBA32 3.11.0 04.29.2006 no virus found
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Alcan virus
« Reply #11 on: April 30, 2006, 09:42:59 AM »
iaspolcy.dll could very well be a legitimate file, even if one of the scanners came back as possibly bad
Can you navigate too iaspolcy.dll
Right click on and left click properties
Click on the version tab and let me know description and copyright please
If copyright is Microsoft, it is probably legit

Avenger log
If you Double click on MyComputer to open it and then double click on Local disk C:
In the C: folder look closely for a text file called avenger.txt

Let me know how everything's running please
Just some final cleanup and we should be done here
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Stiggerman

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Alcan virus
« Reply #12 on: April 30, 2006, 05:32:42 PM »
For iaspolcy.dll, the description is IAS Pipeline and the copyright is Microsoft Corporation.

The computer is running much better.  I haven't seen any pop-ups lately, and the performance has been real good.

Here is the avenger log.  I had rebooted the computer twice.  I think that the avenger file might have run twice.  This could be the second log.

Thank you.



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tdiivxft

*******************

Script file located at: \??\C:\Documents and Settings\biarolya.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\iniwin32.dll deleted successfully.


Could not open file C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe for deletion
Deletion of file C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe failed!

Could not process line:
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\51KJW464\SaveKobeGameSetup03[1].exe
Status: 0xc000003a



Folder C:\Program Files\E2G not found!
Deletion of folder C:\Program Files\E2G failed!

Could not process line:
C:\Program Files\E2G
Status: 0xc0000034

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Program C:\fix.reg successfully set up to run once on reboot.
Program C:\Documents and Settings\Brian\Desktop\hijackthis.exe successfully set up to run once on reboot.

Completed script processing.

*******************

Finished!  Terminate.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Alcan virus
« Reply #13 on: May 07, 2006, 02:21:43 PM »
Stiggerman, I'm very sorry for the delay
I totally forgot all about this post  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />
Can you post back with a fresh hijackthis log and let me know how things are running please
Just have some final recommendations
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Alcan virus
« Reply #14 on: June 12, 2006, 11:49:13 PM »
Since these issues appear resolved, I'll lock this topic
Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »