MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Friend of mine has a virus.
June 02, 2020, 09:38:48 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 02, 2020, 09:38:48 PM

Login with username, password and session length
 Featured Sites:
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Friend of mine has a virus.  (Read 1439 times)
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« on: July 02, 2008, 06:56:05 PM »

Hello again,
I have a friend that has a virus on his computer. I thought we had it fixed a month ago when I did some scans and repairs and he claims everything keeps coming back. I did not notice any pop ups when I was there today or the bugs eating his screen as he calls it but here is a combo fix log

ComboFix 07-08-17.2 - "Administrator" 2008-07-02 14:19:43.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.366 [GMT -4:00]


(((((((((((((((((((((((((   Files Created from 2008-06-02 to 2008-07-02  )))))))))))))))))))))))))))))))


2008-06-20 08:59   91,392   --a------   C:\WINDOWS\system32\kweappft.dll
2008-06-17 16:21   <DIR>   d--h-----   C:\WINDOWS\system32\GroupPolicy
2008-06-17 16:21   <DIR>   d--------   C:\WINDOWS\system32\appmgmt
2008-06-17 16:21   <DIR>   d--------   C:\Program Files\PCPrivacyCleaner
2008-06-17 16:21   <DIR>   d--------   C:\Program Files\Common Files\System Doctor
2008-06-17 16:21   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\AXPFixer
2008-06-17 16:21   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\System Doctor
2008-06-11 09:44   <DIR>   d--------   C:\backups
2008-06-07 11:05   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2008-06-05 12:45   218,112   --a------   C:\HijackThis.exe
2008-06-04 17:13   388,608   --a------   C:\WINDOWS\system32\CF5359.exe
2008-06-04 17:13   <DIR>   d--------   C:\ComboFix1
2008-06-04 16:23   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-06-04 16:21   524,288   --ah-----   C:\DOCUME~1\ADMINI~1\ntuser.dat
2008-06-04 16:21   <DIR>   d--hs----   C:\WINDOWS\CSC
2008-06-04 16:07   51,200   --a------   C:\WINDOWS\nircmd.exe
2008-06-03 17:12   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\System Doctor
2008-06-03 16:58   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\System Doctor Free
2008-06-03 16:48   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\System Doctor Free
2008-06-03 16:02   95,232   --a------   C:\WINDOWS\system32\ydhhwgod.dll
2008-06-03 09:44   <DIR>   d--------   C:\DOCUME~1\Owner\.housecall6.6
2008-06-02 15:15   95,232   ---------   C:\WINDOWS\system32\wfdoxhpe.dll
2008-06-02 15:14   393,987   --ahs----   C:\WINDOWS\system32\DNnVuBeg.ini2
2008-06-02 15:14   324,352   --a------   C:\WINDOWS\system32\geBuVnND.dll
2008-06-02 15:14   1,843,200   --a------   C:\DOCUME~1\Owner\ntuser.dat
2008-06-02 14:46   94,208   --a------   C:\WINDOWS\ekaf.exe
2008-06-02 14:46   33,920   --a------   C:\WINDOWS\system32\fccaAPGx.dll
2008-06-02 14:46   160,256   --a------   C:\WINDOWS\system32\blackster.scr


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-07-02 14:16   119396   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-02 14:16   10096672   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-17 17:47   ---------   d--------   C:\Program Files\HP
2008-05-22 09:47   ---------   d--------   C:\Program Files\Intuit
2008-05-16 17:10   ---------   d--------   C:\Program Files\MSXML 4.0
2008-05-16 14:40   ---------   d--------   C:\Program Files\DAP
2008-05-16 09:39   2560   --a------   C:\WINDOWS\_MSRSTRT.EXE
2008-05-16 09:09   ---------   d--------   C:\Program Files\Messenger
2008-05-15 17:09   ---------   d--------   C:\Program Files\Common Files\Sonic Shared
2008-05-15 17:09   ---------   d--------   C:\Program Files\Common Files\HP
2008-05-15 17:03   ---------   d--------   C:\Program Files\Common Files\Hewlett-Packard
2008-05-15 15:54   ---------   d--------   C:\Program Files\ZoneAlarmSB
2008-04-02 20:07   75248   --a------   C:\WINDOWS\zllsputility.exe
2008-04-02 20:07   1086952   --a------   C:\WINDOWS\system32\zpeng24.dll
2005-12-15 12:03   12288   --a------   C:\WINDOWS\Fonts.\RandFont.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10B5E5C2-8901-4E3C-BF61-AC6E11039292}]
2008-06-02 14:46   33920   --a------   C:\WINDOWS\system32\fccaAPGx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AC3025B-E75F-48F6-B27E-26EF96D2924D}]
2008-06-02 15:14   324352   --a------   C:\WINDOWS\system32\geBuVnND.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-05-15 15:54   262144   --a------   C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 20:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"QBCD Autorun"="D:\autorun.exe" []
"0012b58e"="C:\WINDOWS\system32\kweappft.dll" [2008-06-20 08:59]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 13:00:54]
QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2008-05-22 09:47:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{10B5E5C2-8901-4E3C-BF61-AC6E11039292}"= C:\WINDOWS\system32\fccaAPGx.dll [2008-06-02 14:46 33920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaAPGx]
fccaAPGx.dll 2008-06-02 14:46 33920 C:\WINDOWS\system32\fccaAPGx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBuVnND

R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 14:22:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-07-02 14:24:31
C:\ComboFix-quarantined-files.txt ... 2008-07-02 14:24
C:\ComboFix2.txt ... 2008-06-04 16:13

   --- E O F ---
Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #1 on: July 02, 2008, 06:59:15 PM »

Here is a HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:28:24 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Virus\HiJack This\HijackThis.exe

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [0012b58e] rundll32.exe "C:\WINDOWS\system32\kweappft.dll",b
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks in advance

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #2 on: July 04, 2008, 11:33:45 PM »


You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.



Please download HijackThis to your desktop..

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe



=============================

All these are a all new.They are not from the old malware.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote

File::
C:\WINDOWS\system32\fccaAPGx.dll
C:\WINDOWS\system32\geBuVnND.dll
C:\WINDOWS\system32\kweappft.dll
C:\WINDOWS\system32\ydhhwgod.dll
C:\WINDOWS\system32\wfdoxhpe.dll
C:\WINDOWS\system32\DNnVuBeg.ini2
C:\WINDOWS\system32\blackster.scr
Folder::

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccaAPGx]
 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #3 on: July 07, 2008, 10:40:21 PM »

Ok here is the new Combo Fix log

ComboFix 07-08-17.2 - "Administrator" 2008-07-07 16:19:03.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.373 [GMT -4:00]
Command switches used ::  C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\fccaAPGx.dll
C:\WINDOWS\system32\geBuVnND.dll
C:\WINDOWS\system32\kweappft.dll
C:\WINDOWS\system32\ydhhwgod.dll
C:\WINDOWS\system32\wfdoxhpe.dll
C:\WINDOWS\system32\DNnVuBeg.ini2
C:\WINDOWS\system32\blackster.scr


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\DNnVuBeg.ini2
C:\WINDOWS\system32\fccaAPGx.dll
C:\WINDOWS\system32\geBuVnND.dll
C:\WINDOWS\system32\wfdoxhpe.dll
C:\WINDOWS\system32\ydhhwgod.dll


(((((((((((((((((((((((((   Files Created from 2008-06-07 to 2008-07-07  )))))))))))))))))))))))))))))))


2008-07-04 12:29   89,088   --a------   C:\WINDOWS\system32\xtacrfmg.dll
2008-06-17 16:21   <DIR>   d--h-----   C:\WINDOWS\system32\GroupPolicy
2008-06-17 16:21   <DIR>   d--------   C:\WINDOWS\system32\appmgmt
2008-06-17 16:21   <DIR>   d--------   C:\Program Files\PCPrivacyCleaner
2008-06-17 16:21   <DIR>   d--------   C:\Program Files\Common Files\System Doctor
2008-06-17 16:21   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\AXPFixer
2008-06-17 16:21   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\System Doctor
2008-06-11 09:44   <DIR>   d--------   C:\backups
2008-06-07 11:05   221,184   --a------   C:\WINDOWS\system32\wmpns.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-07-07 16:24   11020320   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-07 16:16   130196   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-17 17:47   ---------   d--------   C:\Program Files\HP
2008-06-05 12:45   218112   --a------   C:\HijackThis.exe
2008-06-02 12:46   94208   --a------   C:\WINDOWS\ekaf.exe
2008-05-22 09:47   ---------   d--------   C:\Program Files\Intuit
2008-05-16 17:10   ---------   d--------   C:\Program Files\MSXML 4.0
2008-05-16 14:40   ---------   d--------   C:\Program Files\DAP
2008-05-16 09:39   2560   --a------   C:\WINDOWS\_MSRSTRT.EXE
2008-05-16 09:09   ---------   d--------   C:\Program Files\Messenger
2008-05-15 17:09   ---------   d--------   C:\Program Files\Common Files\Sonic Shared
2008-05-15 17:09   ---------   d--------   C:\Program Files\Common Files\HP
2008-05-15 17:03   ---------   d--------   C:\Program Files\Common Files\Hewlett-Packard
2008-05-15 15:54   ---------   d--------   C:\Program Files\ZoneAlarmSB
2005-12-15 12:03   12288   --a------   C:\WINDOWS\Fonts.\RandFont.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-05-15 15:54   262144   --a------   C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 13:00:54]
QuickBooks Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe [2008-05-22 09:47:25]

R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 16:24:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-07-07 16:25:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-07-07 16:25
C:\ComboFix2.txt ... 2008-07-02 14:24
C:\ComboFix3.txt ... 2008-06-04 16:13

   --- E O F ---

When this was done it gave me an internet address to post a zip file. I didnt do it because you had to sign up for the site. Is it necessary to do this?
« Last Edit: July 07, 2008, 10:45:01 PM by toppro77 » Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #4 on: July 07, 2008, 10:42:21 PM »

Here is a new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30, on 2008-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2836 bytes


Thanks for your help Pancake.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: July 07, 2008, 11:14:12 PM »

This should finish the cleanup...



Quote
When this was done it gave me an internet address to post a zip file. I didnt do it because you had to sign up for the site. Is it necessary to do this?

No.................

=======================================

Download  OTMoveIt2  http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

Go to the location where you saved OTMoveIT2 and double click it. (If you're using Vista, right click on it and choose Run as Administrator).
Copy all the information found below. Highlight all of it, right click it and choose Copy.

C:\WINDOWS\system32\xtacrfmg.dll



Next, return to OTMoveIt2 and right click in the "Paste List of Files/Patterns to Search For and Move" window.
Important: Paste only into the bottom input panel (under the yellow bar). The top panel will not help you. Then just right click and choose Paste.
Now, click the red MoveIt button and wait several minutes. When it's finished, look in the large right hand panel that says Results. You should see that at least the principal infector files were deleted and whichever applicable registry changes were made. (They may not all apply in your case). Close OTMoveIt2 when it has finished.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot your computer to finish the move process. If you're asked to reboot, simply choose Yes.
Now, double click and open OTMoveIt2 again. Click the green Clean Up! button at the top. (Note: It will need to access the Internet to download a small script file, so please allow your firewall to do so).
When it finishes, it will have deleted all of its quarantines, as well as, the OTMoveIt2 program and all the folders it created. Then just reboot your computer to finish up.
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #6 on: July 09, 2008, 09:21:13 PM »

I sent my friend the instructions you posted and he is trying to do this himself. I will find out tomorrow if he is able too do it. Last I heard he had the viruses back yesterday and he restored back to the day I was over and had things fixed. He says all is running great now that he restored back to the day I was there.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: July 09, 2008, 11:55:02 PM »

I think it would be best if he posted here rather that going through you..
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page October 03, 2018, 12:10:58 PM