1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: PC Being Overtaken by Viruses/Malware

Discussion in 'Virus & Other Malware Removal' started by Keebo, Apr 21, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    Just a few days ago our beautiful, perfectly running PC was overtaken by a hoard of malware from my husband's three-second visit to a website. Now we're constantly being hit by pop-ups and the computer is getting more and more sluggish. We have used HijackThis, Ad-Aware, Microsoft AntiSpyware, Symantec, Spybot, etc. Everything seems to notice that there are problems, but when we try to quarantine or remove them, they just come back. Also, Ad-Aware picks up on QOOLogic. Please Help! :(

    HijackThis log follows:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:49:36 PM, on 4/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner.OFFICE\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\gp02l3do1.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Hi, Welcome to TSG!!

    Click here: http://www.cexx.org/lspfix.htm to get LSP-Fix.
    You may not need it, but go ahead and download it.

    Go to Add/Remove Programs and uninstall New.Net (NewDotNet).
    If it will not uninstall, or is not listed there go here: http://www.newdotnet.com/removal.html
    and follow procedure 4 to remove it.

    If you lose your internet connection after running the New.Net Uninstaller, Run the LSP Fix, and click Finish. Don't do anything else!

    That should restore the internet connection.


    Reboot and post another HJT log.
     
  3. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    Thanks so much! That took care of part of the problem. However, I'm still being hit by a bunch of ads from my internet explorer and we're still sluggish. Something is hiding out.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:58:08 PM, on 4/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner.OFFICE\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\piqryc.exe reg_run
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\lvjs0917e.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Run HJT again and put a check in the following:

    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\piqryc.exe reg_run

    Close all applications and browser windows before you click "fix checked".



    Please download Look2Me-Destroyer.exe to your desktop.
    http://www.atribune.org/ccount/click.php?id=7
    Close all windows before continuing.
    Double-click Look2Me-Destroyer.exe to run it.
    Put a check next to Run this program as a task.
    You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    Once it's done scanning, click the Remove L2M button.
    You will receive a Done Scanning message, click OK.
    When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    Your computer will then shutdown.
    Turn your computer back on.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


    Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
     
  5. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    Looking a lot better... I'm just glad I didn't get bombarded with ads the second the computer booted back up. Lol! ^_^ I may be clean..

    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 4/21/2006 4:24:02 PM

    Infected! C:\WINDOWS\system32\lvjs0917e.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000004.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000007.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000016.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000027.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000034.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000035.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000098.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000099.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000110.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000111.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000128.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000129.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000147.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000148.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000169.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000170.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000186.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000187.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000202.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000203.dll
    Infected! C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000383.dll
    Infected! C:\WINDOWS\system32\dtghelp.dll
    Infected! C:\WINDOWS\system32\h6l20g3oe6.dll
    Infected! C:\WINDOWS\system32\lvjs0917e.dll
    Infected! C:\WINDOWS\system32\guard.tmp

    Attempting to delete infected files...

    Attempting to delete: C:\WINDOWS\system32\lvjs0917e.dll
    C:\WINDOWS\system32\lvjs0917e.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000004.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000004.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000007.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000007.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000016.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000016.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000027.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000027.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000034.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000034.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000035.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP1\A0000035.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000098.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000098.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000099.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000099.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000110.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000110.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000111.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000111.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000128.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000128.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000129.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000129.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000147.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000147.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000148.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000148.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000169.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000169.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000170.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000170.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000186.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000186.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000187.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000187.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000202.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000202.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000203.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000203.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000383.dll
    C:\System Volume Information\_restore{A311A5F4-47AA-41DA-9966-5EA5613C86FB}\RP2\A0000383.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\dtghelp.dll
    C:\WINDOWS\system32\dtghelp.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\h6l20g3oe6.dll
    C:\WINDOWS\system32\h6l20g3oe6.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\lvjs0917e.dll
    C:\WINDOWS\system32\lvjs0917e.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\guard.tmp
    C:\WINDOWS\system32\guard.tmp Deleted successfully!

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9D51C1D4-53C1-4241-82D9-6345E1F7FA8A}"
    HKCR\Clsid\{9D51C1D4-53C1-4241-82D9-6345E1F7FA8A}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C612D7B6-9CBA-4722-944E-286B10A7EEC0}"
    HKCR\Clsid\{C612D7B6-9CBA-4722-944E-286B10A7EEC0}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2C1A19AC-2D3E-4E39-A522-4667EDD7580D}"
    HKCR\Clsid\{2C1A19AC-2D3E-4E39-A522-4667EDD7580D}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{816FF1E9-4FB2-4215-AE82-BB0E40A42CCD}"
    HKCR\Clsid\{816FF1E9-4FB2-4215-AE82-BB0E40A42CCD}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded

    -------------------------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 4:30:35 PM, on 4/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner.OFFICE\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\piqryc.exe reg_run
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  6. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    (y) Well, I've been surfing around and nothing has popped up... Nothing has attempted to hijack me. Computer is running fast again. Thank you so much for all your help! The people here are really wonderful. Glad I joined. (y)

    I went ahead and disabled/enabled Restore, etc. I'm all set! Ready to mark this one as solved.
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Wait... we're not done yet!
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Click Here and download Killbox and save it to your desktop.


    Click here for info on how to boot to safe mode if you don't already know how.


    Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    Run HJT again and put a check in the following:

    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\piqryc.exe reg_run

    Close all applications and browser windows before you click "fix checked".


    Double-click on Killbox.exe to run it.
    Put a tick by Delete on Reboot.
    In the "Full Path of File to Delete" box, copy and paste the following line.

    C:\WINDOWS\system32\piqryc.exe

    Click on the button that has the red circle with the X in the middle after you enter the file name.
    It will ask for confimation to delete the file.
    Click Yes.
    It will ask if you want to reboot now,
    Click Yes.

    Note: It is possible that Killbox will tell you that the file does not exist.

    Exit the Killbox.


    * Restart back into Windows normally now and post your log again.
     
  9. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    Hmm.. followed instructions but that piqryc is still there.. :(


    Logfile of HijackThis v1.99.1
    Scan saved at 6:29:32 PM, on 4/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner.OFFICE\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\piqryc.exe reg_run
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Turn off System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties.
    Click the System Restore tab.
    Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
    Click Yes when you receive the prompt to the turn off System Restore.

    That way the virus scan will not take so long scanning.


    Run Kaspersky online virus scan here: http://www.kaspersky.com/virusscanner

    When given the option, choose the "Extended database" for the scan.
    When it's finished, save the results from the scan and post them here.
     
  11. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Saturday, April 22, 2006 8:53:48 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.78.0
    Kaspersky Anti-Virus database last update: 23/04/2006
    Kaspersky Anti-Virus database records: 189518
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 123512
    Number of viruses found: 28
    Number of infected objects: 73
    Number of suspicious objects: 0
    Duration of the scan process: 01:11:32

    Infected Object Name / Virus Name / Last Action
    C:\!KillBox\piqryc.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940000.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940000.VBN/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940000.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940000.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940000.VBN ZIP: infected - 4 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940000.VBN CryptZ: infected - 4 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940001.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940001.VBN/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940001.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940001.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940001.VBN ZIP: infected - 4 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940001.VBN CryptZ: infected - 4 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940002.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940002.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940002.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940002.VBN ZIP: infected - 3 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940002.VBN CryptZ: infected - 3 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940003.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940003.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940003.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940003.VBN ZIP: infected - 3 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940003.VBN CryptZ: infected - 3 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940004.VBN Infected: Trojan-Dropper.Win32.Agent.aie skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940005.VBN Infected: Trojan-Dropper.Win32.Agent.aie skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940006.VBN/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940006.VBN NSIS: infected - 1 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940006.VBN CryptZ: infected - 1 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940007.VBN/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940007.VBN NSIS: infected - 1 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940007.VBN CryptZ: infected - 1 skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940008.VBN Infected: Trojan-Downloader.Win32.Small.cpu skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E940009.VBN Infected: Trojan-Downloader.Win32.Small.cpu skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E94000C.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E94000D.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E94000E.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E94000F.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ohwg.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
    C:\Program Files\Ares Galaxy FasterDownload\NNGLZA638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\0B9BE5C1-464E-4ABD-B689-6660D7\CD69DEDA-D3D5-4614-9C6D-6EA520 Infected: not-a-virus:AdWare.Win32.180Solutions.g skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\15454FA0-5CB3-4A3C-8F5D-4B04AE\B11EA32B-48A4-4CEB-B8BA-7D72A3 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\3F430F83-F4D8-4FB8-A7F9-E846C6 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\4665A412-359E-43C1-A276-454486 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\537F80CE-E671-4E1D-B41F-31215A Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\91929C60-ECDD-47A3-8BCC-6ABB52 Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\A451E915-E3AF-429B-8F53-F687BC Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\24EAAE95-1DB2-4944-8095-0E0431\172A6575-B0C6-4A8D-BBF5-72ADBB Infected: Trojan.Win32.Pakes skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\737E8473-19A1-43A3-A9C1-5B621F\47A19F25-48FE-4931-8020-5AE32D Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
    C:\Program Files\Microsoft AntiSpyware\Quarantine\D6C19FD7-28C6-4ABA-A302-175D55\1391F7B7-BF41-4F6C-B127-AC9B15 Infected: not-a-virus:AdWare.Win32.WinAD.bc skipped
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008018.exe Infected: not-a-virus:AdWare.Win32.Sahat.m skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008023.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008036.exe Infected: Trojan.Win32.Pakes skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008038.dll Infected: Trojan.Win32.Pakes skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008041.exe Infected: not-a-virus:AdWare.Win32.WebSearch.aj skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008084.exe Infected: not-a-virus:AdWare.Win32.WebSearch.aj skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008086.exe Infected: not-a-virus:AdWare.Win32.WebSearch.aj skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008088.dll Infected: not-a-virus:AdWare.Win32.WebSearch.aj skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008089.exe Infected: not-a-virus:AdWare.Win32.WebSearch.al skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP12\A0008180.exe Infected: not-a-virus:AdWare.Win32.Sahat.w skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP12\A0008194.exe Infected: not-a-virus:AdWare.Win32.WinAD.am skipped
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\A0009544.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
    C:\System Volume Information\_restore{9AEA9590-B892-4D31-A442-EA8521F56737}\RP1\A0000289.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped
    C:\WINDOWS\errorhandler.exe Infected: Trojan-Downloader.Win32.VB.nw skipped
    C:\WINDOWS\money.exe Infected: Trojan-Downloader.Win32.VB.vz skipped
    C:\WINDOWS\newname12.exe Infected: Trojan-Downloader.Win32.VB.aaf skipped
    C:\WINDOWS\system32\dmonwv.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
    C:\WINDOWS\system32\iospqnp.dll Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
    C:\WINDOWS\system32\jsvdkdv.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
    C:\WINDOWS\system32\keqrg.dll Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
    C:\WINDOWS\system32\piqryc.exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
    C:\WINDOWS\system32\w0479a62.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
    C:\WINDOWS\system32\wagbq.dat Infected: Trojan-Downloader.Win32.Qoologic.ax skipped

    Scan process completed.
     
  12. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    I'm still getting popups now and it looks like from that scan a lot of stuff is still there.
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Please download Ewido Anti-Malware
    • Install Ewido Anti-Malware
    • Launch Ewido, there should be an icon on your desktop, double-click it.
    • The program will now open to the main screen.
    • When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display ("Update successful")
    • Exit Ewido, do not run the scan yet!
    If you are having problems with the updater, you can use this link to manually update ewido.
    ewido manual updates

    Click My Computer, then C:\
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "BFU"

    Please download Brute Force Uninstaller.
    Unzip it to its own folder (c:\BFU)

    Next, RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

    Do not run the Uninstaller and the Remover yet.

    Please reboot into Safemode:
    Turn on the computer.
    Immediately begin tapping the F8 key (or F5 on some computers)
    Use the arrow keys to highlight Safe Mode and press the Enter key.

    *Click on Ewido>Scanner
    Then select "Settings"
    Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
    Select "OK" and you will return to scanning options.
    *Click on Complete System Scan and the scan will begin.

    This scan can take quite a while to run, so please be patient .
    While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose Clean. Then put a check next to 'Perform action on all infections' . Doing this, enables the scan to proceed automatically until its completion. Click OK

    When the scan finishes, click on "Save Report". This will create a text file.
    ** Make sure you know where to find this file again. The best place to save it would probably be your Desktop.
    Now close Ewido Anti Malware.

    Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

    In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
    Press execute and let it do its job.

    Wait for the complete script execution box to pop up and press OK.
    Press exit to terminate the BFU program.

    Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
     
  14. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 1:18:31 PM, 4/23/2006
    + Report-Checksum: B2E11606

    + Scan result:

    C:\!KillBox\piqryc.exe -> Downloader.Qoologic.ax : Cleaned with backup
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ohwg.exe -> Downloader.Qoologic.ax : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Aavalue : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Aavalue : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Paycounter : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Adserver : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\Owner.OFFICE\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
    C:\Program Files\Ares Galaxy FasterDownload\NNGLZA638.EXE -> Adware.NewDotNet : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\0B9BE5C1-464E-4ABD-B689-6660D7\CD69DEDA-D3D5-4614-9C6D-6EA520 -> Adware.180Solutions : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\15454FA0-5CB3-4A3C-8F5D-4B04AE\B11EA32B-48A4-4CEB-B8BA-7D72A3 -> Adware.NewDotNet : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\3F430F83-F4D8-4FB8-A7F9-E846C6 -> Adware.NewDotNet : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\4665A412-359E-43C1-A276-454486 -> Adware.NewDotNet : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\537F80CE-E671-4E1D-B41F-31215A -> Adware.NewDotNet : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\91929C60-ECDD-47A3-8BCC-6ABB52 -> Adware.NewDotNet : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\240DC999-E63F-440C-8F66-1850A7\A451E915-E3AF-429B-8F53-F687BC -> Adware.NewDotNet : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\24EAAE95-1DB2-4944-8095-0E0431\172A6575-B0C6-4A8D-BBF5-72ADBB -> Trojan.Pakes : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\737E8473-19A1-43A3-A9C1-5B621F\47A19F25-48FE-4931-8020-5AE32D -> Adware.NewDotNet : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\D6C19FD7-28C6-4ABA-A302-175D55\1391F7B7-BF41-4F6C-B127-AC9B15 -> Adware.WinAD : Cleaned with backup
    C:\WINDOWS\errorhandler.exe -> Downloader.VB.nw : Cleaned with backup
    C:\WINDOWS\IFinst25.exe -> Backdoor.Ifinst : Cleaned with backup
    C:\WINDOWS\newname12.exe -> Downloader.VB.aaf : Cleaned with backup
    C:\WINDOWS\pf78bb.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
    C:\WINDOWS\system32\iospqnp.dll -> Downloader.Qoologic.ax : Cleaned with backup
    C:\WINDOWS\system32\jsvdkdv.exe -> Downloader.Qoologic.ax : Cleaned with backup
    C:\WINDOWS\system32\keqrg.dll -> Downloader.Qoologic.ax : Cleaned with backup
    C:\WINDOWS\system32\piqryc.exe -> Downloader.Qoologic.ax : Cleaned with backup
    C:\WINDOWS\system32\prdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\WINDOWS\system32\w0479a62.dll -> Downloader.Agent.ahv : Cleaned with backup
    C:\WINDOWS\system32\wagbq.dat -> Downloader.Qoologic.ax : Cleaned with backup
    C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
    C:\WINDOWS\zigi.exe -> Adware.ZenoSearch : Cleaned with backup


    ::Report End
     
  15. Keebo

    Keebo Thread Starter

    Joined:
    Apr 21, 2006
    Messages:
    11
    Logfile of HijackThis v1.99.1
    Scan saved at 1:26:31 PM, on 4/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner.OFFICE\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/461162

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice