Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
21 - 31 of 31 Posts
Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
==================

C\documents and settings\owner...etc tells me nothing

==================

Run ActiveScan online virus scan

http://www.pandasoftware.com/products/activescan.htm

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Post a new HiJackThis log along with the results from ActiveScan
 
Discussion starter · #23 ·
Okay, I'm running the scan. I've attempted to several times, but I don't like to leave the internet connected when I leave now and it takes forever! This time I'll wait it out. Sometimes my computer will restart on it's own...that interrupts the scan as well. I'm crossing my fingers this time...
 
Discussion starter · #24 ·
It's extremely LONG! I hope you don't mind that I've attached the files instead

I tried to find those files I mentioned. I was denied access to C:\Documents and Settings\Owner, and there are some viruses in there. The ActiveScan said there were like 800 Viruses! It Disinfected many of them, but there are still some I think...
 

Attachments

It appears that your Norton is not active - remove it in add remoe programs and then

Get the free AVG AntiVirus 7.5 install it, check for updates and run a full scan

AVG 7.5 - http://free.grisoft.com/freeweb.php/doc/2/

A lot of the infection was in Limewire – delete this folder - C:\Program Files\LimeWire

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: (no name) - {C8CD0946-EEED-427D-9343-3FBD192A048A} - C:\WINDOWS\system32\driverj.dll

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\driverj.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 
Discussion starter · #26 ·
I will certainly do all this this evening, but in addition, would you please advise how I can regain access to my C:\Documents and Settings\Owner folder?

Also, you told me to copy and paste files into kill box and spoke as if there would be multiple lines. I only saw C:\WINDOWS\system32\driverj.dll. Is that correct?
 
Discussion starter · #28 ·
When I downloaded AVI, I got the following "warning messages":

Local machine: installed successfully
Installation:
Warning: Action failed for registry key HKCU\Software\Grisoft (Administrator): creating registry key....
Access is denied. (5)
Warning: Action failed for registry key HKCU\Software\Grisoft\Avg7 (Administrator): creating registry key....
Internal error. Registry handle has not been opened.
Warning: Action failed for registry key HKCU\Software\Grisoft\Clients (Administrator): creating registry key....
Internal error. Registry handle has not been opened.
Warning: Action failed for registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run:AVG7_Run (Administrator): creating registry value....
Access is denied. (5)

I will proceed with you instructions and return with an update.
 
Discussion starter · #29 ·
The file you told me to kill with Killbox did not exist. I Ran the AVG, it found 3 viruses and deleted them.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:28:45 PM, on 2007-06-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dumprep.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucr.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181099312078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
 
Discussion starter · #30 ·
Now AVG is telling me I've got a Trojan horse downloader: Trojan horse Downloader.Generic4.FSG located in C:\Documents and Settings\Owner\Local Settings\Temporart Internet Files\ Content.IE5\FBPNFDGC\qq[1].exe

I clicked heal and it tells me that actions isn't available, access to file has been denied. I really need to know how to get access to C:\Documents and Settings\Owner I can't get in there to delete these things and it seems like these are the ones hanging around and they probably are downloading more viruses.

What information do you need to help solve this problem? Norton (before you had me delete it) kept telling me of various viruses it could not delete because it couldn't get access to that Owner folder. I feel like this may be the root of the problem. Can we turn our focus to freeing that folder up so I can access it?

Thank you for you help and patience...
 
21 - 31 of 31 Posts
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top