MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Crippled Computer. Save it or Wipe it?
March 31, 2020, 01:14:56 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
March 31, 2020, 01:14:56 PM

Login with username, password and session length
 Featured Sites:
News
Article Writers We are looking for quality, informational articles to add to our Computer Articles
Please contact us if you are interested in submitting some....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Crippled Computer. Save it or Wipe it?  (Read 3055 times)
elsancheezmo
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« on: August 28, 2005, 03:41:27 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: XP Pro
Problem Application Name & Version: Security Issues
Problem Hardware Make & Model: AMD 3400+
Error Messages:  


Hi - Brand new machine.  Installed OS myself and by the time I connected  it to register my copy of XP Pro and get the updates, something evil of course got inside and won't let go.  I have SP2 installed and now have PC-cillin IS 2005 running to protect from FURTHER problems, but I can't get rid of the original infiltration.  According to Spybot, everytime I boot, I get things like:

WWWCoolsearch
Abetterinternet
Abetterinternet.Aurora
etc....

but I also get

WindowsSecurity.AntivirusOverride, FirewallOverride, etc...

If I boot in safe mode, I only get a few spyware but in full mode, I get a ton of ****, including those ominous ones related to security.

In safe mode I've removed any programs that installed themselves as well as deleted files lurking on the C: drive, but somewhere in the start up, evil lurks.

In full mode the network is crippled.  It works fine in safe mode.  Software, including Spybot and PC-cillin work fine in full mode.  Of course I can't update my PC-cillin without a network connection and PC-cillin doesn't work in safe mode......

My inclination is to start over, but I don't know how to wipe my drive, ensuring I get rid of everything and not damage the BIOS.  I do have the BIOS on CD and all drivers, etc.....

HELP!
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #1 on: August 28, 2005, 04:20:18 PM »

Your problem is fixable. I require a HijackThis log from you

Download HiJackThis.exe - this program will help us determine if there are any spyware/malware on your computer.  
Create a folder at C:\Program Files\HijackThis and move HiJackThis.exe there.  
Double click on the program to run it.

1. If it gives you an intro screen, just choose [Do a system scan and save a logfile].
2. If you don't get the intro screen, just hit [Scan] and then click on [Save log].
3. Post the HiJackThis.log file here.
Logged

 
elsancheezmo
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #2 on: August 28, 2005, 04:36:28 PM »

COOL, THANKS!

Logfile of HijackThis v1.99.1
Scan saved at 12:34:44 PM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ulqrvmu.exe
C:\WINDOWS\explorer.exe
C:\Program Files\InterPoker\Poker.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\WINDOWS\System32\Rpcmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [HF Security] hfsecure.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [779j36R] redcatq.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Windows Security Service] windows.pif
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ichrbh] C:\WINDOWS\system32\ulqrvmu.exe r
O4 - HKLM\..\RunServices: [HF Security] hfsecure.exe
O4 - HKLM\..\RunServices: [Windows Security Service] windows.pif
O4 - HKCU\..\Run: [Windows Security Service] windows.pif
O4 - HKCU\..\RunServices: [Windows Security Service] windows.pif
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124794849937
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D701708-8C53-450B-ADF7-34C19C502413}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Logged

 
elsancheezmo
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #3 on: August 29, 2005, 02:08:35 AM »

PC-cillin didn't detect anything in full mode.  Here's what BitDefender picked up in safe mode:  WOW!

BitDefender Online Scanner - Real Time Virus Report
   

 
   

 

Generated at: Sun, Aug 28, 2005 - 22:00:00

 
   

 
   

 

Scan Info
   

 
   

 

Scanned Files
   

62033

Infected Files
   

245
   

 
   

 

 
   

 
   

 

Virus Detected
   

 
   

 

Trojan.Downloader.Dyfuca.DE
   

5

Backdoor.Irc.Sdbot.72
   

3

GenPack:Adware.Opti.A
   

2

Trojan.Downloader.Dyfuca.EG
   

2

Adware.POP.dl
   

2

GenPack:Trojan.Downloader.Dyfuca.EI
   

6

Trojan.Dropper.Small.QN
   

2

Adware.180Solutions.5.11
   

4

GenPack:Backdoor.SDBot.07170797
   

2

Trojan.Bettinet.AJ
   

2

GenPack:Backdoor.SDBot.F12601F2
   

1

Trojan.Clicker.Aura.A
   

3

Application.Adware.Sidefind.A
   

5

Trojan.Rootkit.Agent.AE
   

27

Application.Adware.Sidefind.B
   

5

Trojan.Downloader.Agent.HW
   

2

Trojan.Downloader.Adload.A
   

2

Adware.EliteBar.B
   

23

Trojan.Downloader.IstBar.IJ
   

5

Trojan.Aproposad.C
   

1

Trojan.Startpage.SM
   

13

Backdoor.Rbot.ZJ
   

1

Exploit.Based.Worm.Gen
   

3

Trojan.Downloader.Istbar.GI
   

4

Trojan.Downloader.IstBar.JM
   

6

Trojan.Downloader.Agent.EX
   

2

Trojan.Isbar.294
   

6

Trojan.Dyfuca.52104.B
   

2

Backdoor.SdBot.ADY
   

2

Trojan.Startup.Nameshifter.ZWQ
   

1

Trojan.Purityad.BP
   

1

Trojan.Winad.R
   

14

Trojan.Downloader.Apropo.G
   

1

Trojan.Rootkit.L
   

26

JS.Trojan.Downloader.IstBar.A
   

1

Trojan.WinAd.48128
   

8

Trojan.Downloader.Small.AQT
   

21

Trojan.Aproposad.I
   

2

Trojan.WinAd.71680
   

8

Trojan.WinREG.LowZones.F
   

6

Trojan.Downloader.Dyfuca.DD
   

3

Trojan.Winad.20996.A
   

8

Trojan.Lowzone.AA
   

2
   

 
   

 

Logged

 
elsancheezmo
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #4 on: August 29, 2005, 02:43:15 AM »

New BitDefender scan....can't shake these two Trojans:  New HiJack report follows.  Please help!


BitDefender Online Scanner - Real Time Virus Report
   
Generated at: Sun, Aug 28, 2005 - 22:35:39


Scan Info
   
Scanned Files
   

62155

Infected Files
   

7
   
Virus Detected
   

Trojan.Purityad.BP
   

1

Trojan.WinREG.LowZones.F
   

6

Logfile of HijackThis v1.99.1
Scan saved at 10:36:31 PM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ulqrvmu.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [HF Security] hfsecure.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [779j36R] redcatq.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Windows Security Service] windows.pif
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ichrbh] C:\WINDOWS\system32\ulqrvmu.exe r
O4 - HKLM\..\RunServices: [HF Security] hfsecure.exe
O4 - HKLM\..\RunServices: [Windows Security Service] windows.pif
O4 - HKCU\..\Run: [Windows Security Service] windows.pif
O4 - HKCU\..\RunServices: [Windows Security Service] windows.pif
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124794849937
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D701708-8C53-450B-ADF7-34C19C502413}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Performance Logs (Perfhmon) - Unknown owner - C:\WINDOWS\system32\Perfhmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Logged

 
elsancheezmo
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #5 on: August 29, 2005, 05:46:18 AM »

OK.  I disabled my system restore and ran BitDefender, TrendMicro and Panda.  All come up clean for virus.  BitDefender detects spyware but doesn't clean it.  SpyBot only picks up 'Abetterinternet'. Here's my latest HiJack log:  Please help! - Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 1:42:00 AM, on 8/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ulqrvmu.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [HF Security] hfsecure.exe
O4 - HKLM\..\Run: [779j36R] redcatq.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Windows Security Service] windows.pif
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ichrbh] C:\WINDOWS\system32\ulqrvmu.exe r
O4 - HKLM\..\RunServices: [HF Security] hfsecure.exe
O4 - HKLM\..\RunServices: [Windows Security Service] windows.pif
O4 - HKCU\..\Run: [Windows Security Service] windows.pif
O4 - HKCU\..\RunServices: [Windows Security Service] windows.pif
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124794849937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D701708-8C53-450B-ADF7-34C19C502413}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Performance Logs (Perfhmon) - Unknown owner - C:\WINDOWS\system32\Perfhmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Logged

 
elsancheezmo
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #6 on: August 29, 2005, 01:16:26 PM »

OK.  I ran Ad-Aware SE until it was clean and then ran Ewido.  Ewido got over 100 hits, and i started to remove the more obvious files, but i can't be sure on some of them.  I could really use more help.  I can post a new HiJack log and Ewido scan if someone is willing to help me?  Thanks!
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #7 on: August 29, 2005, 02:48:29 PM »

Sorry about this. Didnt mean to leave you out in the lurch.

I'm subscribed to this thread but I havent been receiving notifications of your postings. Only found out about your posts when I accidentally clicked on this thread.

Dont do anything yet. I'll be right back with a fix for you.

sUBs
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #8 on: August 29, 2005, 03:29:55 PM »

You may have ran some of these tools before. But I need you to run them again. They must be run in the order designated by me. Do not deviate from this or the fix will not work.


Please download these additional files/programs.  Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

KillBox v2.0.0.175

rdrivRem.zip - Unzip to a new folder

LQFix  & unzip the contents to a new folder.

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.



Download Lavasoft's Ad-Aware & it's recently updated plug-in - VX2 Cleaner

Install both using the default options & then update Ad-Aware with the latest definitions.
Click on Add-ons in the lefthand column & select - VX2 Cleaner V2.0
Click Run Tool >>  "OK"
If something is found, click "Clean" as in the directions given.  
Click "Close", and exit Ad-Aware.


UNPLUG YOUR COMPUTER FOM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


Please save the following instructions in Notepad. I have customed my instructions on the assumption that you have Notepad 'on'. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your question(s) before proceeding with the fixes. There should not be any open browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy
    FILE DELETION LIST    
*  Go to the File menu, and choose Paste from Clipboard
*  Click on the dropdown menu next to Full Path of File to Delete field.
*  Verify that the filenames you pasted are found there
*  Click the RED X button.
*  Click Yes at the Delete on Reboot prompt.
*  Click Yes at the 'Pending Operations prompt'.

# If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .

# If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
    Surf Accuracy      

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Double click on LQFix.zip &  Run LQFix.bat

Double-click rdrivRem.bat to run the program - follow the instructions on the screen.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Click Start->Run - type SERVICES.MSC & then click on the OK button
 Locate the service - AOL Instant Messanger (AIM)    
 Double-click on it to open the Properties dialog.
 Stop the service by using the Stop button.
 Change the Startup type to Disabled & then click on the OK button

 Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
 In the popup box that appears, type in AIM   & then click on the OK button

Repeat the above steps for the following service(s) :-
    netinfo    

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPEN WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [HF Security] hfsecure.exe
O4 - HKLM\..\Run: [779j36R] redcatq.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Windows Security Service] windows.pif
O4 - HKLM\..\Run: [ichrbh] C:\WINDOWS\system32\ulqrvmu.exe r
O4 - HKLM\..\RunServices: [HF Security] hfsecure.exe
O4 - HKLM\..\RunServices: [Windows Security Service] windows.pif
O4 - HKCU\..\Run: [Windows Security Service] windows.pif
O4 - HKCU\..\RunServices: [Windows Security Service] windows.pif
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe (file missing)  



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\SurfAccuracy\        
Locate and delete the following files:
  • C:\WINDOWS\aim.exe
    C:\WINDOWS\netinfo.exe            
Search for & delete ... using Start> Search... the following files:
  • hfsecure.exe
    redcatq.exe
    windows.pif  

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch Ad-Aware & click on the Start button
Select "Perform smart system scan" and click Next.  
Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects").  Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK".  


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with  Panda ActiveScan
  1. Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click [Scan Now]
  3. Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls  
  4. Begin the scan by selecting My Computer
    • If it finds any malware, it will offer you a report.
    • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro
Logged

 
elsancheezmo
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #9 on: August 30, 2005, 04:04:29 PM »

Thanks!  I didn't do it exactly as you said, as other professionals have other opinions and I'm sure there's more than one way to skin a cat, right?  After modifications I ran Trend Micro, BitDefender and Panda and all came up clean for viruses.  Panda picks up some adware and 2 dailers, but doesn't clean them.  Ad-Aware is also clean and Ewido picks up nothing at all.  Here's my latest HiJack log.  I noticed that you recommend removing different files, such as the esearch2005.  The computer runs fine now, but I'd be interested in your opinion of any further treatment/modifications to perform.

I'm running PC-cillin IS 2005 at full speed and will keep Ad-Aware and SpyBot fresh and my temp files to a minimum.  Anything else?  Do you have a browser recommendation?


Logfile of HijackThis v1.99.1
Scan saved at 10:11:31 AM, on 8/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1124794849937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/active...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D701708-8C53-450B-ADF7-34C19C502413}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #10 on: September 02, 2005, 09:32:08 PM »

Go to this site - http://www.mvps.org/winhelp2002/hosts.htm

Read through what it has to say...

Then click on the link that says "To view the HOSTS file in plain text form"

When that link opens, do a search for "www.esearch2005.com"
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page November 16, 2016, 11:55:27 PM