1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

unremovable virus

Discussion in 'Virus & Other Malware Removal' started by virtualgeorg, Feb 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. virtualgeorg

    virtualgeorg Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    320
    I have a windows 2000 pc that a lot of different people use for who know what. It is always getting virus's & spyware but lately it has different virus's that Norton or AVG can't remove or they say it removes them and they come back. Sometimes I try to find the files manually to delete them and they seem to randomly dissappear & doesn't work trying to remove in safe mode either.

    Now it is starting to download multiple copies of emails and when you delete them and check your mail again the same multiple message keep coming. Can't send to floppies anymore of even delete any files and lots of wierd stuff like that.

    I have been screwing around so much that I think it will just be faster to format & re-install. Or I could re-move the drive and place it in another pc to try to remove the virus's but may its already to screwed up?

    And if I do a re-install I usually backup & restore outlook express. When you restore thier emails does that sometimes just put the virus's back into the computer or what precautions could be taken to prevent that.

    It just seems that even though I have Norton & AVG on this pc it still gets infected.

    So is probably the best bet to just reformat?

    thanks,
     
  2. kiwiguy

    kiwiguy

    Joined:
    Aug 17, 2003
    Messages:
    17,584
    First thing is, running 2 antivirus programs at the same time is not a "good idea"
    They can conflict with each other and be less effective than one.

    Secondly, if you post the virus details, and importantly where it believes they are located it would help.

    It's probably a good idea to download HiJackThis and post a log back here.

    It should all be fixable.
     
  3. natcom

    natcom

    Joined:
    Sep 21, 2003
    Messages:
    2,243
    is this computer on a network also those this computer have a software firewall if no software firewall that is Probably the Reason it keep getting virus now if you have the right software you really dont need to format the machine to have it clean up but if you dont then yes format is the way to go and then install a good virus program and a good firewall and you will be ok make sure you backup your data before format if you go that way
     
  4. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
    Yes restoring an infected backup will infect a newly formatted computer.
     
  5. virtualgeorg

    virtualgeorg Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    320
    Yeah the computer is on a network but there is no software firewall installed on any of the workstations but I thought we had something in the hardware end but how would I check. We had a network guy set this up but he aint around anymore.

    It was also mentioned that if I had the right software I could clean it up. So besides the antivirus I run spybot which often solves the problems temporarily & I have adaware pro setup to scan & remove malware every night.

    What other software should I use?
     
  6. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
    As Kiwiguy mentioned in #2 it might be an idea to do a highjackthis log and upload it so that some of the security team can have a look for you. Go here: http://forums.techguy.org/t110854.html. and scroll down to parasitic to HijackThis direct download, and Tutorial
     
  7. virtualgeorg

    virtualgeorg Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    320
    Here is the hijack log:

    Logfile of HijackThis v1.98.2
    Scan saved at 11:05:24 AM, on 2/5/2005
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Huey\HueyServ.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Huey\HueyController.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\Documents and Settings\cdowney.GCDOMAIN\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0291BC0E-BB50-F188-35F3-65D41AAA4BD8} - C:\WINNT\system32\auqjpiwc.dll (file missing)
    O2 - BHO: (no name) - {02A4ED9E-B636-4E36-567D-06E73C57EC16} - C:\WINNT\system32\dbnqaeij.dll
    O2 - BHO: (no name) - {034F3E2E-4F69-D950-CDD2-B2C3B9F5E941} - C:\WINNT\system32\yafyezdh.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0E4A6AC9-F611-F52A-B023-3E416EF4DC81} - C:\WINNT\System32\avjspgen.dll (file missing)
    O2 - BHO: (no name) - {165AEE4D-D3B6-5273-33E0-D6E3DA994174} - C:\WINNT\system32\nxugvruq.dll (file missing)
    O2 - BHO: (no name) - {18633838-A2A8-FCF0-8DB3-D460C99EFBE2} - C:\WINNT\System32\jjeaomcc.dll (file missing)
    O2 - BHO: (no name) - {31286A52-6410-7CDE-92AA-35A17B128E15} - C:\WINNT\System32\xzkiffrz.dll (file missing)
    O2 - BHO: (no name) - {372BC535-F7C7-7DE0-0D93-F75CE0408E84} - C:\WINNT\system32\qqypgyip.dll
    O2 - BHO: (no name) - {39CB092F-A448-5A56-91AC-259D953098BE} - C:\WINNT\system32\gdpaalsx.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {7431DF5A-0201-2ECE-480F-87C055201DE8} - C:\WINNT\System32\gueyepoj.dll
    O2 - BHO: (no name) - {82C1A097-FF84-92E7-BFF4-8F734088A41A} - C:\WINNT\system32\crithkbw.dll
    O2 - BHO: (no name) - {83BD3B11-E1F4-F1D2-8ED1-251773236F39} - C:\WINNT\system32\oxnvkcdc.dll (file missing)
    O2 - BHO: (no name) - {8981EA67-8A4B-E696-E6D9-9621805A36B7} - C:\WINNT\system32\sqhdccns.dll (file missing)
    O2 - BHO: (no name) - {8BB6336B-FAB0-0492-5AC7-1015FA8D6170} - C:\WINNT\System32\vfkctigl.dll (file missing)
    O2 - BHO: (no name) - {A640F915-A2FE-2CAC-ED12-195BC0379E05} - C:\WINNT\system32\ibfwinsc.dll
    O2 - BHO: (no name) - {A92A1024-E9C5-CEBA-86C6-DF79E3243A2E} - C:\WINNT\system32\pjarlxgg.dll (file missing)
    O2 - BHO: (no name) - {BBDD5DC5-596A-7A54-7645-2A84A9649ADA} - C:\WINNT\system32\szsvvvrh.dll
    O2 - BHO: (no name) - {BCC474BA-925D-5EE7-504D-221CE3D894CF} - C:\WINNT\system32\vgmpxrqk.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CDFC68F4-8602-3D88-6431-149452EAAE6D} - C:\WINNT\system32\bakjcttf.dll (file missing)
    O2 - BHO: (no name) - {D808DC85-8291-485C-0854-B3F922098B0D} - C:\WINNT\system32\jiznsbux.dll
    O2 - BHO: (no name) - {D86B9A96-87C0-8BB1-AFA1-15E3A87480A1} - C:\WINNT\system32\bwxtnxcb.dll (file missing)
    O2 - BHO: (no name) - {F781A32A-9B9D-9CB4-0292-89380AFC34C3} - C:\WINNT\System32\wuksxtnj.dll
    O3 - Toolbar: Groovy Searches Bar - {0EF2F1DA-AA22-5255-47DC-DBBBBAF2F13C} - C:\WINNT\system32\GSBToolBar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Groovy Search Bar - res://C:\WINNT\system32\GSBToolBar.dll/SEARCH.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: NetRez ADU v4,2,0,9 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
    O16 - DPF: NetRez ADU v5,0,0,18 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
    O16 - DPF: NetRez Client Installer - https://wam4.netrez1.netrez.com/classes/anasazi/ClientInstall.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.forsalebyowner.com/activex/ScriptX.cab
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak02.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://utell.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gcgr.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gcgr.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gcgr.com
     
  8. virtualgeorg

    virtualgeorg Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    320
    And Norton tells me I have the netsky virus so I downloaded & ran the removal tool from symantec but it did not find it. Seems the virus only pops up when OE express is started?
     
  9. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
    You have an old version of hjt, "v1.98.2" which is now out of date.
    You need v1.99.0.0

    I have also made a request on your behalf that this thread be moved to the security forum.
     
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    34,062
    Moved to Security as requested :)

    eddie
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    please downlaod and install the latest version of HJT so we can see some additional locations for your problem

    go to here and download 'Hijack This!' self extracter. double click on the file and it will self extract to C:\program files\hijackthis.
    Go to that folder then doubleclick the Hijackthis.exe
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  12. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
    Thanks Eddie
     
  13. virtualgeorg

    virtualgeorg Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    320
    Here is my new logfile:

    Logfile of HijackThis v1.99.0
    Scan saved at 3:26:02 PM, on 2/9/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Huey\HueyController.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0291BC0E-BB50-F188-35F3-65D41AAA4BD8} - C:\WINNT\system32\auqjpiwc.dll (file missing)
    O2 - BHO: (no name) - {02A4ED9E-B636-4E36-567D-06E73C57EC16} - C:\WINNT\system32\dbnqaeij.dll
    O2 - BHO: (no name) - {034F3E2E-4F69-D950-CDD2-B2C3B9F5E941} - C:\WINNT\system32\yafyezdh.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0E4A6AC9-F611-F52A-B023-3E416EF4DC81} - C:\WINNT\System32\avjspgen.dll (file missing)
    O2 - BHO: (no name) - {165AEE4D-D3B6-5273-33E0-D6E3DA994174} - C:\WINNT\system32\nxugvruq.dll (file missing)
    O2 - BHO: (no name) - {18633838-A2A8-FCF0-8DB3-D460C99EFBE2} - C:\WINNT\System32\jjeaomcc.dll (file missing)
    O2 - BHO: (no name) - {31286A52-6410-7CDE-92AA-35A17B128E15} - C:\WINNT\System32\xzkiffrz.dll (file missing)
    O2 - BHO: (no name) - {372BC535-F7C7-7DE0-0D93-F75CE0408E84} - (no file)
    O2 - BHO: (no name) - {39CB092F-A448-5A56-91AC-259D953098BE} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {7431DF5A-0201-2ECE-480F-87C055201DE8} - (no file)
    O2 - BHO: (no name) - {82C1A097-FF84-92E7-BFF4-8F734088A41A} - (no file)
    O2 - BHO: (no name) - {83BD3B11-E1F4-F1D2-8ED1-251773236F39} - C:\WINNT\system32\oxnvkcdc.dll (file missing)
    O2 - BHO: (no name) - {8981EA67-8A4B-E696-E6D9-9621805A36B7} - C:\WINNT\system32\sqhdccns.dll (file missing)
    O2 - BHO: (no name) - {8BB6336B-FAB0-0492-5AC7-1015FA8D6170} - C:\WINNT\System32\vfkctigl.dll (file missing)
    O2 - BHO: (no name) - {A640F915-A2FE-2CAC-ED12-195BC0379E05} - C:\WINNT\system32\ibfwinsc.dll
    O2 - BHO: (no name) - {A92A1024-E9C5-CEBA-86C6-DF79E3243A2E} - C:\WINNT\system32\pjarlxgg.dll (file missing)
    O2 - BHO: (no name) - {BBDD5DC5-596A-7A54-7645-2A84A9649ADA} - C:\WINNT\system32\szsvvvrh.dll
    O2 - BHO: (no name) - {BCC474BA-925D-5EE7-504D-221CE3D894CF} - C:\WINNT\system32\vgmpxrqk.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CDFC68F4-8602-3D88-6431-149452EAAE6D} - C:\WINNT\system32\bakjcttf.dll (file missing)
    O2 - BHO: (no name) - {D808DC85-8291-485C-0854-B3F922098B0D} - C:\WINNT\system32\jiznsbux.dll
    O2 - BHO: (no name) - {D86B9A96-87C0-8BB1-AFA1-15E3A87480A1} - C:\WINNT\system32\bwxtnxcb.dll (file missing)
    O2 - BHO: (no name) - {F781A32A-9B9D-9CB4-0292-89380AFC34C3} - C:\WINNT\System32\wuksxtnj.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: NetRez ADU v4,2,0,9 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
    O16 - DPF: NetRez ADU v5,0,0,18 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
    O16 - DPF: NetRez Client Installer - https://wam4.netrez1.netrez.com/classes/anasazi/ClientInstall.cab
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak02.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://utell.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gcgr.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gcgr.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gcgr.com
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Huey Server - Unknown - C:\Program Files\Huey\HueyServ.exe
    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    I'm not sure what this is
    O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe

    I think it's a remote access or backdoor that might be legit or might be nasty. If you installed itb and know about bit OK, othrwise let us know and we'll fix it later

    Download AdAware SE from http://www.lavasoft.de/support/download and install it if you haven't already got it. If you have it, then make sure tit updated and configured as described later in this post

    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0291BC0E-BB50-F188-35F3-65D41AAA4BD8} - C:\WINNT\system32\auqjpiwc.dll (file missing)
    O2 - BHO: (no name) - {02A4ED9E-B636-4E36-567D-06E73C57EC16} - C:\WINNT\system32\dbnqaeij.dll
    O2 - BHO: (no name) - {034F3E2E-4F69-D950-CDD2-B2C3B9F5E941} - C:\WINNT\system32\yafyezdh.dll (file missing)

    O2 - BHO: (no name) - {0E4A6AC9-F611-F52A-B023-3E416EF4DC81} - C:\WINNT\System32\avjspgen.dll (file missing)
    O2 - BHO: (no name) - {165AEE4D-D3B6-5273-33E0-D6E3DA994174} - C:\WINNT\system32\nxugvruq.dll (file missing)
    O2 - BHO: (no name) - {18633838-A2A8-FCF0-8DB3-D460C99EFBE2} - C:\WINNT\System32\jjeaomcc.dll (file missing)
    O2 - BHO: (no name) - {31286A52-6410-7CDE-92AA-35A17B128E15} - C:\WINNT\System32\xzkiffrz.dll (file missing)
    O2 - BHO: (no name) - {372BC535-F7C7-7DE0-0D93-F75CE0408E84} - (no file)
    O2 - BHO: (no name) - {39CB092F-A448-5A56-91AC-259D953098BE} - (no file)

    O2 - BHO: (no name) - {7431DF5A-0201-2ECE-480F-87C055201DE8} - (no file)
    O2 - BHO: (no name) - {82C1A097-FF84-92E7-BFF4-8F734088A41A} - (no file)
    O2 - BHO: (no name) - {83BD3B11-E1F4-F1D2-8ED1-251773236F39} - C:\WINNT\system32\oxnvkcdc.dll (file missing)
    O2 - BHO: (no name) - {8981EA67-8A4B-E696-E6D9-9621805A36B7} - C:\WINNT\system32\sqhdccns.dll (file missing)
    O2 - BHO: (no name) - {8BB6336B-FAB0-0492-5AC7-1015FA8D6170} - C:\WINNT\System32\vfkctigl.dll (file missing)
    O2 - BHO: (no name) - {A640F915-A2FE-2CAC-ED12-195BC0379E05} - C:\WINNT\system32\ibfwinsc.dll
    O2 - BHO: (no name) - {A92A1024-E9C5-CEBA-86C6-DF79E3243A2E} - C:\WINNT\system32\pjarlxgg.dll (file missing)
    O2 - BHO: (no name) - {BBDD5DC5-596A-7A54-7645-2A84A9649ADA} - C:\WINNT\system32\szsvvvrh.dll
    O2 - BHO: (no name) - {BCC474BA-925D-5EE7-504D-221CE3D894CF} - C:\WINNT\system32\vgmpxrqk.dll

    O2 - BHO: (no name) - {CDFC68F4-8602-3D88-6431-149452EAAE6D} - C:\WINNT\system32\bakjcttf.dll (file missing)
    O2 - BHO: (no name) - {D808DC85-8291-485C-0854-B3F922098B0D} - C:\WINNT\system32\jiznsbux.dll
    O2 - BHO: (no name) - {D86B9A96-87C0-8BB1-AFA1-15E3A87480A1} - C:\WINNT\system32\bwxtnxcb.dll (file missing)
    O2 - BHO: (no name) - {F781A32A-9B9D-9CB4-0292-89380AFC34C3} - C:\WINNT\System32\wuksxtnj.dll

    O16 - DPF: NetRez ADU v4,2,0,9 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
    O16 - DPF: NetRez ADU v5,0,0,18 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
    O16 - DPF: NetRez Client Installer - https://wam4.netrez1.netrez.com/cla...ientInstall.cab
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://utell.webex.com/client/latest/webex/ieatgpc.cab


    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe


    now run killbox and paste The FIRST ONE of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

    then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, if it says unable to delete then make a note of the file name and let us know when you reply

    C:\WINNT\system32\msupd5.exe
    C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
    C:\WINNT\System32\wuksxtnj.dll
    C:\WINNT\system32\jiznsbux.dll
    C:\WINNT\system32\vgmpxrqk.dll
    C:\WINNT\system32\szsvvvrh.dll
    C:\WINNT\system32\ibfwinsc.dll
    C:\WINNT\system32\dbnqaeij.dll


    Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

    then as some of the folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"




    then go to C:\winnt\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R27 55.02.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


    Reboot &

    Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds (when it finds things, please quarantine them rather than delete just in case as it is a beta and occasional False positives happen)

    First press file and check for updates and then run it

    Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    http://www.bitdefender.com/scan/licence.php
    http://www.commandondemand.com/eval/index.cfm
    http://www.freedom.net/viruscenter/onlineviruscheck.html
    http://info.ahnlab.com/english/
    http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

    reboot again

    please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    Anything inside the C:\!submit folder which is where killbox should have made copies of all the files it deleted


    the easy way is first go to c:\!submit and select all the files inside it, rightclick and send to compressed folder, that will make a zipped copy of all the files and then upload the zipped copy

    then post a new hijackthis log to check what is left
     
  15. virtualgeorg

    virtualgeorg Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    320
    Thanks Very Much!! My problems seem to be solved. I wanted to wait a few days to see how it worked but it seems to fine now and I will upload the files to your spykiller website when I am at that location again in a few days.

    At this location there are about 20+ more computers that will need the same software installed. Can you suggest a way that could do this remotely from my home where I could connect to the pcs at night and do a remote desktop thing that would allow me to install programs & reboot the computers.

    I use VNC or remote desktop in winxp sometimes but hear about security issues and I am not sure how I would log in back into the network after I re-booted remotely.

    They are win2k workstations with a win2k advanced server.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326792

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice