1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help

Discussion in 'Web & Email' started by Frost, Apr 21, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Frost

    Frost Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    8
    I need help really bad. I was on my computer yesterday talking with my freind when it froze. So i restarted and tried to connect through aim and nothing then i tried to connect on one of my games and it didnt bring anything up. But i can still surf the web.
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    First please get Spybot S&D to clear out most of the spyware.

    Short tutorial and download link here:
    http://tomcoyote.org/SPYBOT/

    Fix everything SpybotSD labels in red.

    Then after reboot:
    Download 'Hijack This!'. http://www.tomcoyote.org/hjt/
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
     
  3. Frost

    Frost Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    8
    Logfile of HijackThis v1.97.7
    Scan saved at 11:06:20 PM, on 4/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\FreeRAM XP Pro 1.40.exe
    C:\WINDOWS\System32\iyus\qlnfgnjk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O4 - HKLM\..\Run: [iyus] C:\WINDOWS\System32\iyus\qlnfgnjk.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\FreeRAM XP Pro 1.40.exe" -win
    O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    any help would be appreciated. :)
     
  4. Mr. Peabody

    Mr. Peabody

    Joined:
    Apr 13, 2003
    Messages:
    246
    Greetings Frost:

    While you are waiting for Mobo to read your HJT read-out, you can also download and run Adaware, a spyware program that compliments SpyBot.

    http://www.lavasoftusa.com/ Look for the free download (Adaware Build 181).

    Run your antivirus.

    Let Mobo know if any of your original symptoms have changed since running
    Spybot and Adaware.

    My HJT analysis:

    Frost -- do not take any action on my analysis. I am not an expert on Hijack This. I am trying to learn more about it, so I am submitting my analysis. If I am wrong, one of the other gurus will let me know (for sure).


    I would check here and see if anything unusual is running (although that may be essentially what HJT does.)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    C:\WINDOWS\System32\iyus\qlnfgnjk.exe

    This is suspcious to me. "iyus" is a yugoslovian word, or siouan. The file name d/n come up on any search. It resides in the windows file, but it is also running here:
    O4 - HKLM\..\Run: [iyus] C:\WINDOWS\System32\iyus\qlnfgnjk.exe

    It may be a sign of a virus that is renaming itself. Does not show at Norton Knowledge Base either.

    The "04" codes are autorunning from the registry. I think an expert will advise you to delete this file, and may tell you to check the registry to be sure the entry is gone.

    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    More info about a file bearing the same name may be found here:
    http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html

    This may be adware, so I am curious to learn why SpyBot didn't catch it. See if Adaware6 does.


    Once again, my advise is to not take my advise unless it is confirmed as accurate by someone who knows what he or she is doing.

    Good Luck,

    Mr. Peabody
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    I as well am suspicious about that file Mr.Peabody..

    What can be done is click http://www.kaspersky.com/remoteviruschk.html, then browse and navigate to C:\WINDOWS\System32\iyus\qlnfgnjk.exe then click "submit". Wait for the results then post them back here.
     
  6. Frost

    Frost Thread Starter

    Joined:
    Apr 21, 2004
    Messages:
    8
    Hi thanks for your guy's help. I deleted that file and now i can connect to everything again. You guys are such a big help. Thx both of you i well find a way to repay you. Thx Again!
     
  7. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    now just one more step frosty..reboot into safe mode, open windows explorer and navigate to C:\WINDOWS\System32\iyus\qlnfgnjk.exe right click and delete if its still present.
     
  8. Mr. Peabody

    Mr. Peabody

    Joined:
    Apr 13, 2003
    Messages:
    246
    Frost:

    Mobo includes that other important tip about rebooting in safe mode and checking to see if the file is still hanging around.

    Some of the viruses have .exe files imbedded that retrigger the virus when the visible files are discovered and deleted. svrsvr.exe is an example of a bad virus that keeps regenerating until you delete it in DOS.

    Welcome to the forum Frost, and just keep reading the posts. There are lots of tips here and plenty of good people that are willing to help out.

    Stay frosty, :rolleyes:

    Mr. Peabody
     
  9. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    There are some that don't regenerate but if someone did a system restore or scanreg /restore then they woud re-infect themselves.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222724

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice