Help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Frost

Thread Starter
Joined
Apr 21, 2004
Messages
8
I need help really bad. I was on my computer yesterday talking with my freind when it froze. So i restarted and tried to connect through aim and nothing then i tried to connect on one of my games and it didnt bring anything up. But i can still surf the web.
 
Joined
Feb 23, 2003
Messages
16,274
First please get Spybot S&D to clear out most of the spyware.

Short tutorial and download link here:
http://tomcoyote.org/SPYBOT/

Fix everything SpybotSD labels in red.

Then after reboot:
Download 'Hijack This!'. http://www.tomcoyote.org/hjt/
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
 

Frost

Thread Starter
Joined
Apr 21, 2004
Messages
8
Logfile of HijackThis v1.97.7
Scan saved at 11:06:20 PM, on 4/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\iyus\qlnfgnjk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [iyus] C:\WINDOWS\System32\iyus\qlnfgnjk.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [FreeRAM XP] "C:\FreeRAM XP Pro 1.40.exe" -win
O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

any help would be appreciated. :)
 
Joined
Apr 13, 2003
Messages
246
Greetings Frost:

While you are waiting for Mobo to read your HJT read-out, you can also download and run Adaware, a spyware program that compliments SpyBot.

http://www.lavasoftusa.com/ Look for the free download (Adaware Build 181).

Run your antivirus.

Let Mobo know if any of your original symptoms have changed since running
Spybot and Adaware.

My HJT analysis:

Frost -- do not take any action on my analysis. I am not an expert on Hijack This. I am trying to learn more about it, so I am submitting my analysis. If I am wrong, one of the other gurus will let me know (for sure).


I would check here and see if anything unusual is running (although that may be essentially what HJT does.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


C:\WINDOWS\System32\iyus\qlnfgnjk.exe

This is suspcious to me. "iyus" is a yugoslovian word, or siouan. The file name d/n come up on any search. It resides in the windows file, but it is also running here:
O4 - HKLM\..\Run: [iyus] C:\WINDOWS\System32\iyus\qlnfgnjk.exe

It may be a sign of a virus that is renaming itself. Does not show at Norton Knowledge Base either.

The "04" codes are autorunning from the registry. I think an expert will advise you to delete this file, and may tell you to check the registry to be sure the entry is gone.

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
More info about a file bearing the same name may be found here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html

This may be adware, so I am curious to learn why SpyBot didn't catch it. See if Adaware6 does.


Once again, my advise is to not take my advise unless it is confirmed as accurate by someone who knows what he or she is doing.

Good Luck,

Mr. Peabody
 

Frost

Thread Starter
Joined
Apr 21, 2004
Messages
8
Hi thanks for your guy's help. I deleted that file and now i can connect to everything again. You guys are such a big help. Thx both of you i well find a way to repay you. Thx Again!
 
Joined
Feb 23, 2003
Messages
16,274
now just one more step frosty..reboot into safe mode, open windows explorer and navigate to C:\WINDOWS\System32\iyus\qlnfgnjk.exe right click and delete if its still present.
 
Joined
Apr 13, 2003
Messages
246
Frost:

Mobo includes that other important tip about rebooting in safe mode and checking to see if the file is still hanging around.

Some of the viruses have .exe files imbedded that retrigger the virus when the visible files are discovered and deleted. svrsvr.exe is an example of a bad virus that keeps regenerating until you delete it in DOS.

Welcome to the forum Frost, and just keep reading the posts. There are lots of tips here and plenty of good people that are willing to help out.

Stay frosty, :rolleyes:

Mr. Peabody
 
Joined
Feb 23, 2003
Messages
16,274
There are some that don't regenerate but if someone did a system restore or scanreg /restore then they woud re-infect themselves.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top