1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Please help, computer is infected by bo:heap virus

Discussion in 'Virus & Other Malware Removal' started by klnaj, Feb 12, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. klnaj

    klnaj Thread Starter

    Joined:
    Dec 19, 2004
    Messages:
    295
    Hi, my laptop is infected by bo:heap virus. Currently my laptop is running McAfee but the thing is I can't delete/clean the infected file from mcafee as the clean and delete file button has been disable. Even the anti spyware software can't do anything on the infected file.

    Here is the information that shown on McAfee alert message box.

    Pathname: c:\program files\internet explorer\iexplore.exe::ReadFile
    Detected As: bo:heap
    State: Blocked by Buffer Overflow Protection

    I really don't know what I need to do. Can anyone shed any light on this for me please? Thanks in advance
     
  2. klnaj

    klnaj Thread Starter

    Joined:
    Dec 19, 2004
    Messages:
    295
    Now my connection seem very slow too. It takes minutes for IE to load a page.
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,270
    Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  4. klnaj

    klnaj Thread Starter

    Joined:
    Dec 19, 2004
    Messages:
    295
    Hi Cookiegal,

    First, thank you so much for helps and respond. Below is the log

    Logfile of HijackThis v1.99.1
    Scan saved at 3:37:54 PM, on 2/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\WINDOWS\tppaldr.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [corndupefindcopy] C:\Documents and Settings\All Users\Application Data\send mags corn dupe\Bows Delete.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [Sign 4] C:\DOCUME~1\TAKUMI~1\APPLIC~1\WINGPL~1\copygreatooze.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,270
    Download and unzip the following to a new folder:
    http://metallica.geekstogo.com/findlop.zip


    Inside the folder locate findlop.bat

    Double click it and it will create the file C:\findlop.txt
    Find that file and copy and paste the contents into your next post.


    Also, copy the part in bold below into notepad and save it as direxie.bat
    Set File type to "All files"


    cd\
    cd C:\Documents and Settings\%UserName%\Application Data
    dir /x > C:\directory.txt
    cd C:\Documents and Settings\All Users\Application Data
    dir /x >> C:\directory.txt
    cd C:\Program Files
    dir /x >> C:\directory.txt
    start notepad C:\directory.txt



    Start the file by double clicking direxie.bat
    That will open a file called directory.txt. Post the content of that file.
     
  6. klnaj

    klnaj Thread Starter

    Joined:
    Dec 19, 2004
    Messages:
    295
    Volume in drive C has no label.
    Volume Serial Number is 8401-E170

    Directory of C:\Documents and Settings\Takumi Fujiwara\Application Data

    12/23/2005 10:39 AM <DIR> Adobe
    12/23/2005 01:08 PM <DIR> AdobeUM
    10/16/2006 05:46 PM <DIR> APPLEC~1 Apple Computer
    03/04/2006 11:58 AM 32,304 GDIPFO~1.DAT GDIPFONTCACHEV1.DAT
    01/08/2006 10:44 PM <DIR> Google
    01/14/2006 04:52 AM <DIR> Help
    12/20/2005 12:16 AM <DIR> IDENTI~1 Identities
    10/20/2006 12:37 PM <DIR> Intel
    12/21/2005 10:52 PM <DIR> JASCSO~1 Jasc Software Inc
    08/23/2006 07:24 PM <DIR> Lavasoft
    12/20/2005 08:17 PM <DIR> MACROM~1 Macromedia
    12/20/2005 09:18 PM <DIR> MEDIAP~1 Media Player Classic
    12/20/2005 12:36 AM <DIR> Real
    09/22/2006 11:47 PM <DIR> Roxio
    02/10/2007 04:58 PM <DIR> WINGPL~1 Win gpl junk
    1 File(s) 32,304 bytes
    14 Dir(s) 1,271,709,696 bytes free
    Volume in drive C has no label.
    Volume Serial Number is 8401-E170

    Directory of C:\Documents and Settings\All Users\Application Data

    12/20/2005 12:37 AM <DIR> Adobe
    10/16/2006 05:46 PM <DIR> APPLEC~1 Apple Computer
    02/06/2007 10:52 AM 15 DRAGTO~1.TXT DragToDiscUserNameE.txt
    01/06/2007 04:04 PM <DIR> Google
    12/20/2005 12:34 AM <DIR> NETWOR~1 Network Associates
    10/16/2006 05:46 PM <DIR> QUICKT~1 QuickTime
    02/10/2007 04:58 PM <DIR> SENDMA~1 send mags corn dupe
    07/22/2006 04:29 AM <DIR> WINDOW~1 Windows Genuine Advantage
    12/21/2006 08:56 AM <DIR> yahoo!
    1 File(s) 15 bytes
    8 Dir(s) 1,271,709,696 bytes free
    Volume in drive C has no label.
    Volume Serial Number is 8401-E170

    Directory of C:\Program Files

    02/13/2007 03:37 PM <DIR> .
    02/13/2007 03:37 PM <DIR> ..
    12/20/2005 12:36 AM <DIR> Adobe
    12/20/2005 12:48 AM <DIR> ATITEC~1 ATI Technologies
    12/28/2005 12:28 PM <DIR> BitComet
    02/10/2007 08:27 PM <DIR> BITGRA~1 BitGrabber
    12/20/2005 12:31 AM <DIR> Broadcom
    12/28/2005 12:44 PM <DIR> BSPlayer
    12/20/2005 04:17 AM <DIR> COMMON~1 Common Files
    12/19/2005 11:49 PM <DIR> COMPLU~1 ComPlus Applications
    12/20/2005 12:22 AM <DIR> CONEXANT
    01/07/2006 12:30 AM <DIR> D-Tools
    12/21/2005 10:51 PM <DIR> DELLCO~1 Dell Computer
    01/01/2006 10:08 AM <DIR> DIABLO~1 Diablo II
    11/05/2006 10:58 PM <DIR> DivX
    12/20/2005 12:11 AM <DIR> ENGLIS~1 EnglishOtto
    01/14/2006 04:44 AM <DIR> EPSON
    12/20/2005 12:11 AM <DIR> GEMMAS~1 GemMaster
    01/07/2007 06:39 PM <DIR> Google
    02/13/2007 03:37 PM <DIR> HIJACK~1 Hijackthis
    12/20/2005 12:26 AM <DIR> Intel
    12/02/2006 09:23 AM <DIR> INTERN~1 Internet Explorer
    10/20/2006 12:40 PM <DIR> iPod
    12/21/2005 10:52 PM <DIR> JASCSO~1 Jasc Software Inc
    12/20/2005 08:45 PM <DIR> K-LITE~1 K-Lite Codec Pack
    08/23/2006 07:24 PM <DIR> Lavasoft
    12/20/2005 01:08 AM <DIR> MESSEN~1 Messenger
    12/20/2005 12:59 AM <DIR> MICROS~3 Microsoft ActiveSync
    12/19/2005 11:55 PM <DIR> MICROS~1 microsoft frontpage
    12/20/2005 12:58 AM <DIR> MICROS~2 Microsoft Office
    12/19/2005 11:51 PM <DIR> MOVIEM~1 Movie Maker
    12/19/2005 11:45 PM <DIR> MSN
    12/19/2005 11:46 PM <DIR> MSNGAM~1 MSN Gaming Zone
    11/17/2006 08:25 PM <DIR> MSXML4~1.0 MSXML 4.0
    12/19/2005 11:51 PM <DIR> NETMEE~1 NetMeeting
    12/20/2005 12:34 AM <DIR> NETWOR~1 Network Associates
    12/20/2005 01:12 AM <DIR> OFFICE~1 OfficeUpdate11
    12/19/2005 11:49 PM <DIR> ONLINE~1 Online Services
    12/16/2006 08:18 AM <DIR> OUTLOO~1 Outlook Express
    02/02/2006 01:58 AM <DIR> PCFRIE~1 PCFriendly
    10/20/2006 12:42 PM <DIR> QUICKT~1 QuickTime
    12/20/2005 12:35 AM <DIR> Real
    02/02/2006 02:04 AM <DIR> RGB
    12/20/2005 04:19 AM <DIR> Roxio
    12/20/2005 12:21 AM <DIR> SigmaTel
    02/10/2007 04:57 PM <DIR> WINGPL~1 Win gpl junk
    04/15/2006 08:19 AM <DIR> Winamp
    04/28/2006 10:20 PM <DIR> WINDOW~3 Windows Media Player
    12/19/2005 11:46 PM <DIR> WINDOW~1 Windows NT
    12/19/2005 11:48 PM <DIR> WINDOW~2 Windows Plus
    02/02/2007 12:15 PM <DIR> WinRAR
    12/19/2005 11:55 PM <DIR> xerox
    12/11/2006 09:06 PM <DIR> Yahoo!
    0 File(s) 0 bytes
    53 Dir(s) 1,271,705,600 bytes free
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,270
    You didn't do the first part of my instructions so please do that now and post the contents of C:\findlop.txt.
     
  8. klnaj

    klnaj Thread Starter

    Joined:
    Dec 19, 2004
    Messages:
    295
    Sorry to miss the first part. Here is the log from findlop.

    [TRACE] Enumerating jobs and queues
    [TRACE] Activating job '96498A2D92125659.job'
    [TRACE] Printing all job properties

    ApplicationName: 'c:\docume~1\takumi~1\applic~1\wingpl~1\SoftwareHideBold.exe'
    Parameters: ''
    WorkingDirectory: ''
    Comment: ''
    Creator: 'Takumi Fujiwara'
    Priority: NORMAL
    MaxRunTime: 259200000 (3d 0:00:00)
    IdleWait: 10
    IdleDeadline: 60
    MostRecentRun: 02/13/2007 17:27:52
    NextRun: 02/13/2007 20:00:00
    StartError: S_OK
    ExitCode: 0
    Status: SCHED_S_TASK_READY
    ScheduledWorkItem Flags:
    DeleteWhenDone = 0
    Suspend = 0
    StartOnlyIfIdle = 0
    KillOnIdleEnd = 0
    RestartOnIdleResume = 0
    DontStartIfOnBatteries = 0
    KillIfGoingOnBatteries = 0
    RunOnlyIfLoggedOn = 1
    SystemRequired = 0
    Hidden = 1
    TaskFlags: 0

    1 Trigger

    Trigger 0:
    Type: Daily
    DaysInterval: 1
    StartDate: 10/25/2000
    EndDate: 00/00/0000
    StartTime: 00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
    HasEndDate = 0
    KillAtDuration = 0
    Disabled = 0
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,270
    Copy everything inside the quote box below (starting with @)and paste it into notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as remlop.bat on your desktop.

    Double-click remlop.bat A window will open a close quickly, this is normal.


    Click Here and download Killbox and save it to your desktop but don’t run it yet.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [corndupefindcopy] C:\Documents and Settings\All Users\Application Data\send mags corn dupe\Bows Delete.exe

    O4 - HKCU\..\Run: [Sign 4] C:\DOCUME~1\TAKUMI~1\APPLIC~1\WINGPL~1\copygreatooze.exe


    Then boot to safe mode:


    How to restart to safe mode


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

      C:\Documents and Settings\Takumi Fujiwara\Application Data\Win gpl junk
      C:\Program Files\Win gpl junk
      C:\Documents and Settings\All Users\Application Data\send mags corn dupe


    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.


    Boot back to Windows normally and post another HijackThis log please.
     
  10. klnaj

    klnaj Thread Starter

    Joined:
    Dec 19, 2004
    Messages:
    295
    Hi Cookiegal,

    I managed to delete all the files that you wanted me to delete except

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    Because I couldn't find the file from scan result.

    When window restarts to safe mode, instead of logging in to Administrator account, I log in to Takumi Fujiware account.

    Here is the new HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 11:39:49 AM, on 2/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
    C:\WINDOWS\tppaldr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,270
    Download AVG Anti-Spyware from HERE and save that file to your desktop.

    When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
    4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
    1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
    2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG will now begin the scanning process. Please be patient as this may take a little time.
      Once the scan is complete, do the following:
    5. If you have any infections you will be prompted. Then select "Apply all actions."
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
    8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • You need to use IE to run this scan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
     
  12. klnaj

    klnaj Thread Starter

    Joined:
    Dec 19, 2004
    Messages:
    295
    I am having trouble to update file from AVG. An error message show: "Sorry, the server is not ready to serve. Please try again later"

    I will try and run the update again later and will post the scan result once I have everything done.
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,270
    Yes, I have the same message so the site must be having problems. I'm sure it will be fine a little later.
     
  14. klnaj

    klnaj Thread Starter

    Joined:
    Dec 19, 2004
    Messages:
    295
    Ok, here is the scan report from AVG and Panda Activescan

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 9:54:08 PM 2/14/2007

    + Scan result:



    C:\Documents and Settings\Takumi Fujiwara\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\Takumi Fujiwara\Cookies\[email protected][1].txt -> TrackingCookie.Adrevolver : Cleaned.
    C:\Documents and Settings\Takumi Fujiwara\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\Takumi Fujiwara\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\Takumi Fujiwara\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned.


    ::Report end




    Incident Status Location

    Adware:Adware/Lop Not disinfected C:\!KillBox\send mags corn dupe\Bows Delete.exe
    Adware:Adware/Lop Not disinfected C:\!KillBox\Win gpl junk\copygreatooze.exe
    Adware:Adware/Lop Not disinfected C:\!KillBox\Win gpl junk\gqeohyjf.exe
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Takumi Fujiwara\Cookies\[email protected][1].txt
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,270
    How are things running now?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/543641

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice