1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Had Virus, I think I got rid of it?

Discussion in 'Virus & Other Malware Removal' started by Tedejc, Jan 3, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Tedejc

    Tedejc Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    379
    :confused: As soon as I got it, every thing slowed down. And got a red circle in my menu tray with a white X saying I have a virus and need to patch it. As well as pop-ups for a virus fix of some sort. I did not right down the exact wording of these.

    I disconnected my network connection and ran my AVG which came up with C:\Documents~1\e\Locals~1\Temp\AAWTMPC\18906187\DFA15\ BlackBox.Class, VB.Class, Dummy.Class, and Beyound.Class
    C:\Documents~1\e\Locals~1\Temp\AAWTMPC\18906187\3A91C9\ (same blackbox, VB, Dummy, and Beyond) and
    C:\Documents~1\e\Locals~1\Temp\AAWTMPC\18906187\381EEA\ (same black box, VB, Dummy, and Beyond)

    I manually deleted these and my AVG can’t find anything ells, but my Ad-Aware SE keeps going crazy, from 80 to 160 different things each time I ran it, some with a TAC of 10. I think one of them was ‘coolwebsearch’. The Red X was still there.

    So I uninstalled my AVG and down loaded EZ Trust which found the Blackbox.Class, VB.Class, Dummy.Class, and Beyond.Class in C:\Documnets and settings\e\Application Data\Sun\Java\Deployment\cache\javapi\V1.0\jar\archive1213.jar-(263ac852-5590e386.zip), in (6fc272c-5d0ae29b.zip), and in (729a90a6-5dc13a11.zip).

    Did the same and deleted these, EZ Trust wouldn’t find anything ells, but the AVG was still going crazy and the Red X would not give up.

    So I downloaded spy doctor which found a bunch of things, Spywarello, Trojan.fake alret, CWS, CnsMin, Common Components for Windows Updates, Infotel serl, ISTbar, Media Gateway, CWS.Home Search Assistant, Tracking Cookie(s), Advertising, AdProtector, and Media Motor.

    Ran Hijack this for the first time because I really didn’t understand it very well (still don’t) and check a few things I didn’t recognize, which seemed to get rid of the Red X, and Ad-Aware doesn’t seem to come up with anything critical. A friend of mine told me about this site and said I should see if any one could give me some advice about this. Did this fix it, and how can I be sure?
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi Tedejc, Welcome to TSG!!

    You should post your hijackthis log for review before removing anything!
     
  3. Tedejc

    Tedejc Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    379
    StartupList report, 1/3/2006, 6:12:10 PM
    StartupList version: 1.52.2
    Started from : C:\Program Files\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\WINDOWS\Explorer.EXE
    C:\winstall.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    (Default) =

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Windows installer = C:\winstall.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\system32\ssmarque.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [RRAAINAX_02.RRAAINAX]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RraainAX.ocx
    CODEBASE = http://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    End of report, 3,733 bytes
    Report generated in 0.032 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Tedejc

    Tedejc Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    379
    The Red spot in the menu tray came back, and now it's gone again. What the heck is this thing. I dont belive it's gone for good.

    Ted
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    No it's not gone but I need to see the HJT log, not the startups.

    Double click on the HJTsetup.exe icon on your desktop.

    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.

    Click Save to save the log file and then the log will open in notepad.

    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  6. Tedejc

    Tedejc Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    379
    Is this it?


    ogfile of HijackThis v1.99.1
    Scan saved at 2:59:16 PM, on 1/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\winstall.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.164.109.25.72
    O15 - Trusted Zone: *.207.130.86.35
    O15 - Trusted Zone: *.acura.com
    O15 - Trusted Zone: *.ahm-ownerlink.com
    O15 - Trusted Zone: *.ahmdealer.com
    O15 - Trusted Zone: *.edcor.com
    O15 - Trusted Zone: *.honda.com
    O15 - Trusted Zone: *.hondacars.com
    O15 - Trusted Zone: *.xmradio.com
    O15 - Trusted Zone: *.acura.com (HKLM)
    O15 - Trusted Zone: *.ahmdealer.com (HKLM)
    O15 - Trusted Zone: *.honda.com (HKLM)
    O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E7171D12-DACA-4B51-ADF4-2086064F2C99}: NameServer = 216.41.101.15,204.17.65.2
    O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

    Close all applications and browser windows before you click "fix checked".


    Restart in Safe Mode

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"


    Delete this file: C:\winstall.exe

    Reboot and post another log.

    Now look over those O15's and make sure you really trust them. If not remove them from your trusted zones.
     
  8. Tedejc

    Tedejc Thread Starter

    Joined:
    Jan 3, 2006
    Messages:
    379
    I know there all good, even the TZ *.164.109.25.72, I’m checking in to TZ *.207.130.86.35. I’m not sure about that one.
    I found C:\winstall but I could not verify the .exe on it. I couldent delet it yesterday any way in safe mode. I just got an error messeg saying ‘I got an Error Deleting File or Folder -Cannot delete Winstasll: Access is denied Make sure the disk is not full or write-protected and that the file is not currently in use.’

    I tried again in safe mode this morning and deleted it with out any problems. Hopfully this will do it.

    First re-start: HJT log file

    Logfile of HijackThis v1.99.1
    Scan saved at 10:19:58 AM, on 1/5/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.164.109.25.72
    O15 - Trusted Zone: *.207.130.86.35
    O15 - Trusted Zone: *.acura.com
    O15 - Trusted Zone: *.ahm-ownerlink.com
    O15 - Trusted Zone: *.ahmdealer.com
    O15 - Trusted Zone: *.edcor.com
    O15 - Trusted Zone: *.honda.com
    O15 - Trusted Zone: *.hondacars.com
    O15 - Trusted Zone: *.xmradio.com
    O15 - Trusted Zone: *.acura.com (HKLM)
    O15 - Trusted Zone: *.ahmdealer.com (HKLM)
    O15 - Trusted Zone: *.honda.com (HKLM)
    O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E7171D12-DACA-4B51-ADF4-2086064F2C99}: NameServer = 216.41.101.15,204.17.65.2
    O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


    The HJT still had the 04 – HKCU\..\Run: [Windows installer] C:\winstall.exe

    I put a check in it again and hit Fix check on HJT

    After second re-start:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:54:06 AM, on 1/5/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.164.109.25.72
    O15 - Trusted Zone: *.207.130.86.35
    O15 - Trusted Zone: *.acura.com
    O15 - Trusted Zone: *.ahm-ownerlink.com
    O15 - Trusted Zone: *.ahmdealer.com
    O15 - Trusted Zone: *.edcor.com
    O15 - Trusted Zone: *.honda.com
    O15 - Trusted Zone: *.hondacars.com
    O15 - Trusted Zone: *.xmradio.com
    O15 - Trusted Zone: *.acura.com (HKLM)
    O15 - Trusted Zone: *.ahmdealer.com (HKLM)
    O15 - Trusted Zone: *.honda.com (HKLM)
    O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E7171D12-DACA-4B51-ADF4-2086064F2C99}: NameServer = 216.41.101.15,204.17.65.2
    O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe


    I checked Windows Explorer for the winstall and it was not there. I’m going to re-start again just to make sure it’s gone

    Ted
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430770

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice