Author Topic: virus or something... (Read 1071 times)

Dylan · « **on:** November 24, 2006, 07:44:22 PM »

Well, there's something up with this computer. When I run Ad-aware it finds infected things, but when it goes to delete them, the program freezes. Here's the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 7:34:59 PM, on 11/24/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBWEATHERONTRAY.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBOEADDON.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBINST.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VOLTC\XWJXHF.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RLVKNLG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qing.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...bbTOOqG8QoFfKk=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE...6QJkoTNDI8f0WI=
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBWEATHERONTRAY.EXE
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\BIN\461~1.0\SBInst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [Ilntxk] C:\PROGRAM FILES\VOLTC\XWJXHF.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\WINDOWS\TEMP\{14DE1F42-1333-4A1E-8213-9C7619709B73}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzfw003YYUS
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\rlls.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab

guestolo · « **Reply #1 on:** November 25, 2006, 12:37:53 AM »

http://hijackthis.de/
if you haven't found out yet, your going to find out soon that the above address
Is not that accurate

Can you do the following
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

Dylan · « **Reply #2 on:** November 25, 2006, 09:38:26 PM »

ACDSee
Active Alert
Ad-Aware SE Personal
Adobe Reader 6.0.1
After Dark Flying Toasters Free Screen Saver
AOL Instant Messenger
Axis & Allies Iron Blitz
Axis and Allies
BearShare
BitTorrent 5.0.1
BrainWave Generator
BreadieQuest:Halloween v3.0
Conquer 2.0
Curious George Downtown Adventure
Disney's Toontown Online
Downhill Derby
Dreamship Tales
EA SPORTS online 2004
Freaky Freezeday (remove only)
Garfield The Movie Screen Saver
HijackThis 1.99.1
HP Photo Imaging Software
HP Share-to-Web
InCD (ahead software)
Internet Explorer Q891781
Internet Explorer Q903235
J2SE Runtime Environment 5.0 Update 3
Japanese Language Support
LimeWire 4.9.7
Luxury Liner Tycoon
Macromedia Flash Player 8
Macromedia Shockwave Player
media-motor.net
Microsoft .NET Framework 1.1
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Money 2001
Microsoft Outlook Express 6
Microsoft VGX Q833989
Microsoft Works 6.0
Microsoft Works and Money 2001 Setup Launcher
MSN Gaming Zone
MTSaver_v09 ScreenSaver
Nero - Burning Rom
Nestle Snacks Screen Saver
NVIDIA Windows 95/98/ME Display Drivers
Oops Toons - Aquarium screensaver
Outlook Express Q823353
Puzzle Pirates
QuickTime for Windows (16-bit)
RelevantKnowledge
RollerCoaster TycoonÂ® 3
Scholastic's Math Shop Deluxe
School Tycoon
Screensavers Installer Version 2
SeaWorld Adventure Park Tycoon
Sid Meier's SimGolf
Software Update Manager
Spam Blocker Utility
Spam Blocker Utility Web Tools
Spybot - Search & Destroy 1.4
Sweets Ahoy (remove only)
The Game Of Life
The Sims Makin' Magic
Theme Park World
Tiger Woods PGA TOUR 2004
To The Eds-treme
TONICT
Viewpoint Media Player
WeatherBug
Windows Millennium Edition KB891711 Update
Windows Millennium Edition Q823559 Update
WinRAR archiver
Yahoo! Toolbar

guestolo · « **Reply #3 on:** November 25, 2006, 10:02:03 PM »

Can you do the following please

Download and save to your desktop
LSPFix.exe
Just leave it there for now, we have it if we need it

Access your add/remove programs and uninstall all the following
Active Alert
media-motor.net
Viewpoint Media Player

Finally, remove
RelevantKnowledge

Reboot your computer afterwards

Back in Windows
Post a fresh hijackthis log please

NOTE: IF you do happen to lose internet connection after doing any of the above
Simply, close all open windows
Double click on LSPFix.exe
Select the "Finish" button on the bottom right hand side

Reboot the computer again

Dylan · « **Reply #4 on:** November 26, 2006, 08:18:32 PM »

Logfile of HijackThis v1.99.1
Scan saved at 8:19:19 PM, on 11/26/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBWEATHERONTRAY.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBOEADDON.EXE
C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBINST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.EXE
C:\PROGRAM FILES\VOLTC\XWJXHF.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qing.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...bbTOOqG8QoFfKk=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE...6QJkoTNDI8f0WI=
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBWEATHERONTRAY.EXE
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\BIN\461~1.0\SBInst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [Ilntxk] C:\PROGRAM FILES\VOLTC\XWJXHF.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\WINDOWS\TEMP\{14DE1F42-1333-4A1E-8213-9C7619709B73}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzfw003YYUS
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab

guestolo · « **Reply #5 on:** November 27, 2006, 01:21:48 AM »

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qing.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...bbTOOqG8QoFfKk=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE...6QJkoTNDI8f0WI=
R3 - URLSearchHook: (no name) - - (no file)

O4 - HKLM\..\Run: [WeatherOnTray] C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBWEATHERONTRAY.EXE
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\BIN\461~1.0\SBInst.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\PROGRAM FILES\POPUPWITHCAST\SEPTPOP06APSEPT.exe
O4 - HKLM\..\Run: [Ilntxk] C:\PROGRAM FILES\VOLTC\XWJXHF.EXE

O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\WINDOWS\TEMP\{14DE1F42-1333-4A1E-8213-9C7619709B73}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzfw003YYUS
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Access your add/remove programs and uninstall all the following
Spam Blocker Utility
Spam Blocker Utility Web Tools

Reboot the computer

Back in Windows
Find and delete the following folders
C:\PROGRAM FILES\SPAMBLOCKERUTILITY <-folder
C:\Program Files\Save <-folder

Open Spybot 1.4
Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
A green check will indicate a successful download, if it wasn't successful, search for updates again till all are successful
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process

Back in Windows
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
After the update is successful click Finish
Click START>>NEXT

When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

Post back a fresh hijackthis log

Also
Go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive

C:\PROGRAM FILES\VOLTC\XWJXHF.EXE<-this file,
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Dylan · « **Reply #6 on:** November 27, 2006, 10:48:20 AM »

Logfile of HijackThis v1.99.1
Scan saved at 10:42:29 AM, on 11/27/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab

And the other scan you asked for...

STATUS: FINISHEDComplete scanning result of "Xwjxhf.exe", received in VirusTotal at 11.27.2006, 16:42:22 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.46 11.27.2006 TR/DelProx.A
Authentium 4.93.8 11.24.2006 W32/Downloader.AAW
Avast 4.7.892.0 11.27.2006 Win32:Trojano-1035
AVG 386 11.27.2006 Small.P
BitDefender 7.2 11.27.2006 Trojan.Small.CY
CAT-QuickHeal 8.00 11.27.2006 Trojan.Small.cy
ClamAV devel-20060426 11.27.2006 Trojan.Small-158
DrWeb 4.33 11.27.2006 Trojan.DownLoader.1389
eSafe 7.0.14.0 11.27.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.68 11.27.2006 Win32/Dyfuca.B!Trojan
eTrust-Vet 30.3.3217 11.27.2006 Win32/Dyfuca.B
Ewido 4.0 11.27.2006 Trojan.Small.cy
Fortinet 2.82.0.0 11.27.2006 W32/Small.SN!tr.dldr
F-Prot 3.16f 11.24.2006 security risk named W32/Downloader.AAW
F-Prot4 4.2.1.29 11.24.2006 W32/Downloader.AAW
Ikarus 0.2.65.0 11.27.2006 Trojan.Win32.Small.CY
Kaspersky 4.0.2.24 11.27.2006 Trojan.Win32.Small.cy
McAfee 4904 11.24.2006 potentially unwanted program Adware-DFC
Microsoft 1.1804 11.27.2006 Trojan:Win32/Small.CY
NOD32v2 1885 11.27.2006 Win32/Small.CY
Norman 5.80.02 11.27.2006 no virus found
Panda 9.0.0.4 11.26.2006 Adware/Dyfuca
Prevx1 V2 11.27.2006 no virus found
Sophos 4.11.0 11.16.2006 DFC
TheHacker 6.0.3.124 11.27.2006 Trojan/Small.cy
UNA 1.83 11.24.2006 Trojan.Win32.Rog.7BDD
VBA32 3.11.1 11.27.2006 Trojan.Win32.Small.cy
VirusBuster 4.3.15:9 11.27.2006 Trojan.Small.ADM

Aditional Information
File size: 37512 bytes
MD5: 077a766c4042e002b6bcf60058d015da
SHA1: d38b70950ffe2a8cfd0e0606b88cae8e2849caf8
packers: PETITE

Sorry, that's the only way I knew how to post it.

eXclusive · « **Reply #7 on:** November 27, 2006, 11:33:59 AM »

be4 deleting it by as-aware, look in wich file that virus is and delete it manual

Dylan · « **Reply #8 on:** November 28, 2006, 05:26:20 PM »

So, is that all I need to do, guestolo?

guestolo · « **Reply #9 on:** November 29, 2006, 10:14:26 PM »

Sorry for the delay, power outages and work has left me limited time on the forums
Go ahead and delete this file please
C:\PROGRAM FILES\VOLTC\XWJXHF.EXE

Any other files in the VOLTC folder you don't recognize?

What are you using for AntiVirus software?
Do you need a free solution?
I have a link to a free one, please let me know
It is really not safe being online without an Active AV running protection in the background

How is everything running?

Dylan · « **Reply #10 on:** November 30, 2006, 07:44:59 PM »

Everything is running better, I have no AV programs. When I play games it lags, not sure why. Maybe because of the old computer.

guestolo · « **Reply #11 on:** November 30, 2006, 07:51:47 PM »

Quote

Any other files in the VOLTC folder you don't recognize?

Can you also do the following please
Use Internet Explorer and Run the online Panda ActiveScan
* Once you are on the Panda site click the Scan your PC button at the bottom of the page
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.

When the scan is complete
click See Report, then click Save Report and save it to your Desktop.

Post a fresh hijacthis log afterwards and the Full report from Panda's please

TheTechGuide Forum

News:

Author Topic: virus or something... (Read 1071 times)

Dylan

virus or something...

guestolo

virus or something...

Dylan

virus or something...

guestolo

virus or something...

Dylan

virus or something...

guestolo

virus or something...

Dylan

virus or something...

eXclusive

virus or something...

Dylan

virus or something...

guestolo

virus or something...

Dylan

virus or something...

guestolo

virus or something...