unremovable virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

virtualgeorg

Thread Starter
Joined
Sep 9, 2003
Messages
320
I have a windows 2000 pc that a lot of different people use for who know what. It is always getting virus's & spyware but lately it has different virus's that Norton or AVG can't remove or they say it removes them and they come back. Sometimes I try to find the files manually to delete them and they seem to randomly dissappear & doesn't work trying to remove in safe mode either.

Now it is starting to download multiple copies of emails and when you delete them and check your mail again the same multiple message keep coming. Can't send to floppies anymore of even delete any files and lots of wierd stuff like that.

I have been screwing around so much that I think it will just be faster to format & re-install. Or I could re-move the drive and place it in another pc to try to remove the virus's but may its already to screwed up?

And if I do a re-install I usually backup & restore outlook express. When you restore thier emails does that sometimes just put the virus's back into the computer or what precautions could be taken to prevent that.

It just seems that even though I have Norton & AVG on this pc it still gets infected.

So is probably the best bet to just reformat?

thanks,
 
Joined
Aug 17, 2003
Messages
17,584
First thing is, running 2 antivirus programs at the same time is not a "good idea"
They can conflict with each other and be less effective than one.

Secondly, if you post the virus details, and importantly where it believes they are located it would help.

It's probably a good idea to download HiJackThis and post a log back here.

It should all be fixable.
 
Joined
Sep 21, 2003
Messages
2,243
is this computer on a network also those this computer have a software firewall if no software firewall that is Probably the Reason it keep getting virus now if you have the right software you really dont need to format the machine to have it clean up but if you dont then yes format is the way to go and then install a good virus program and a good firewall and you will be ok make sure you backup your data before format if you go that way
 
Joined
May 16, 2003
Messages
4,092
Yes restoring an infected backup will infect a newly formatted computer.
 

virtualgeorg

Thread Starter
Joined
Sep 9, 2003
Messages
320
Yeah the computer is on a network but there is no software firewall installed on any of the workstations but I thought we had something in the hardware end but how would I check. We had a network guy set this up but he aint around anymore.

It was also mentioned that if I had the right software I could clean it up. So besides the antivirus I run spybot which often solves the problems temporarily & I have adaware pro setup to scan & remove malware every night.

What other software should I use?
 
Joined
May 16, 2003
Messages
4,092
As Kiwiguy mentioned in #2 it might be an idea to do a highjackthis log and upload it so that some of the security team can have a look for you. Go here: http://forums.techguy.org/t110854.html. and scroll down to parasitic to HijackThis direct download, and Tutorial
 

virtualgeorg

Thread Starter
Joined
Sep 9, 2003
Messages
320
Here is the hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 11:05:24 AM, on 2/5/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Huey\HueyServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Huey\HueyController.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\cdowney.GCDOMAIN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0291BC0E-BB50-F188-35F3-65D41AAA4BD8} - C:\WINNT\system32\auqjpiwc.dll (file missing)
O2 - BHO: (no name) - {02A4ED9E-B636-4E36-567D-06E73C57EC16} - C:\WINNT\system32\dbnqaeij.dll
O2 - BHO: (no name) - {034F3E2E-4F69-D950-CDD2-B2C3B9F5E941} - C:\WINNT\system32\yafyezdh.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E4A6AC9-F611-F52A-B023-3E416EF4DC81} - C:\WINNT\System32\avjspgen.dll (file missing)
O2 - BHO: (no name) - {165AEE4D-D3B6-5273-33E0-D6E3DA994174} - C:\WINNT\system32\nxugvruq.dll (file missing)
O2 - BHO: (no name) - {18633838-A2A8-FCF0-8DB3-D460C99EFBE2} - C:\WINNT\System32\jjeaomcc.dll (file missing)
O2 - BHO: (no name) - {31286A52-6410-7CDE-92AA-35A17B128E15} - C:\WINNT\System32\xzkiffrz.dll (file missing)
O2 - BHO: (no name) - {372BC535-F7C7-7DE0-0D93-F75CE0408E84} - C:\WINNT\system32\qqypgyip.dll
O2 - BHO: (no name) - {39CB092F-A448-5A56-91AC-259D953098BE} - C:\WINNT\system32\gdpaalsx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7431DF5A-0201-2ECE-480F-87C055201DE8} - C:\WINNT\System32\gueyepoj.dll
O2 - BHO: (no name) - {82C1A097-FF84-92E7-BFF4-8F734088A41A} - C:\WINNT\system32\crithkbw.dll
O2 - BHO: (no name) - {83BD3B11-E1F4-F1D2-8ED1-251773236F39} - C:\WINNT\system32\oxnvkcdc.dll (file missing)
O2 - BHO: (no name) - {8981EA67-8A4B-E696-E6D9-9621805A36B7} - C:\WINNT\system32\sqhdccns.dll (file missing)
O2 - BHO: (no name) - {8BB6336B-FAB0-0492-5AC7-1015FA8D6170} - C:\WINNT\System32\vfkctigl.dll (file missing)
O2 - BHO: (no name) - {A640F915-A2FE-2CAC-ED12-195BC0379E05} - C:\WINNT\system32\ibfwinsc.dll
O2 - BHO: (no name) - {A92A1024-E9C5-CEBA-86C6-DF79E3243A2E} - C:\WINNT\system32\pjarlxgg.dll (file missing)
O2 - BHO: (no name) - {BBDD5DC5-596A-7A54-7645-2A84A9649ADA} - C:\WINNT\system32\szsvvvrh.dll
O2 - BHO: (no name) - {BCC474BA-925D-5EE7-504D-221CE3D894CF} - C:\WINNT\system32\vgmpxrqk.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CDFC68F4-8602-3D88-6431-149452EAAE6D} - C:\WINNT\system32\bakjcttf.dll (file missing)
O2 - BHO: (no name) - {D808DC85-8291-485C-0854-B3F922098B0D} - C:\WINNT\system32\jiznsbux.dll
O2 - BHO: (no name) - {D86B9A96-87C0-8BB1-AFA1-15E3A87480A1} - C:\WINNT\system32\bwxtnxcb.dll (file missing)
O2 - BHO: (no name) - {F781A32A-9B9D-9CB4-0292-89380AFC34C3} - C:\WINNT\System32\wuksxtnj.dll
O3 - Toolbar: Groovy Searches Bar - {0EF2F1DA-AA22-5255-47DC-DBBBBAF2F13C} - C:\WINNT\system32\GSBToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Groovy Search Bar - res://C:\WINNT\system32\GSBToolBar.dll/SEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: NetRez ADU v4,2,0,9 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
O16 - DPF: NetRez ADU v5,0,0,18 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
O16 - DPF: NetRez Client Installer - https://wam4.netrez1.netrez.com/classes/anasazi/ClientInstall.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.forsalebyowner.com/activex/ScriptX.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak02.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://utell.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gcgr.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gcgr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gcgr.com
 

virtualgeorg

Thread Starter
Joined
Sep 9, 2003
Messages
320
And Norton tells me I have the netsky virus so I downloaded & ran the removal tool from symantec but it did not find it. Seems the virus only pops up when OE express is started?
 
Joined
May 16, 2003
Messages
4,092
You have an old version of hjt, "v1.98.2" which is now out of date.
You need v1.99.0.0

I have also made a request on your behalf that this thread be moved to the security forum.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
please downlaod and install the latest version of HJT so we can see some additional locations for your problem

go to here and download 'Hijack This!' self extracter. double click on the file and it will self extract to C:\program files\hijackthis.
Go to that folder then doubleclick the Hijackthis.exe
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

virtualgeorg

Thread Starter
Joined
Sep 9, 2003
Messages
320
Here is my new logfile:

Logfile of HijackThis v1.99.0
Scan saved at 3:26:02 PM, on 2/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Huey\HueyController.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0291BC0E-BB50-F188-35F3-65D41AAA4BD8} - C:\WINNT\system32\auqjpiwc.dll (file missing)
O2 - BHO: (no name) - {02A4ED9E-B636-4E36-567D-06E73C57EC16} - C:\WINNT\system32\dbnqaeij.dll
O2 - BHO: (no name) - {034F3E2E-4F69-D950-CDD2-B2C3B9F5E941} - C:\WINNT\system32\yafyezdh.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E4A6AC9-F611-F52A-B023-3E416EF4DC81} - C:\WINNT\System32\avjspgen.dll (file missing)
O2 - BHO: (no name) - {165AEE4D-D3B6-5273-33E0-D6E3DA994174} - C:\WINNT\system32\nxugvruq.dll (file missing)
O2 - BHO: (no name) - {18633838-A2A8-FCF0-8DB3-D460C99EFBE2} - C:\WINNT\System32\jjeaomcc.dll (file missing)
O2 - BHO: (no name) - {31286A52-6410-7CDE-92AA-35A17B128E15} - C:\WINNT\System32\xzkiffrz.dll (file missing)
O2 - BHO: (no name) - {372BC535-F7C7-7DE0-0D93-F75CE0408E84} - (no file)
O2 - BHO: (no name) - {39CB092F-A448-5A56-91AC-259D953098BE} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7431DF5A-0201-2ECE-480F-87C055201DE8} - (no file)
O2 - BHO: (no name) - {82C1A097-FF84-92E7-BFF4-8F734088A41A} - (no file)
O2 - BHO: (no name) - {83BD3B11-E1F4-F1D2-8ED1-251773236F39} - C:\WINNT\system32\oxnvkcdc.dll (file missing)
O2 - BHO: (no name) - {8981EA67-8A4B-E696-E6D9-9621805A36B7} - C:\WINNT\system32\sqhdccns.dll (file missing)
O2 - BHO: (no name) - {8BB6336B-FAB0-0492-5AC7-1015FA8D6170} - C:\WINNT\System32\vfkctigl.dll (file missing)
O2 - BHO: (no name) - {A640F915-A2FE-2CAC-ED12-195BC0379E05} - C:\WINNT\system32\ibfwinsc.dll
O2 - BHO: (no name) - {A92A1024-E9C5-CEBA-86C6-DF79E3243A2E} - C:\WINNT\system32\pjarlxgg.dll (file missing)
O2 - BHO: (no name) - {BBDD5DC5-596A-7A54-7645-2A84A9649ADA} - C:\WINNT\system32\szsvvvrh.dll
O2 - BHO: (no name) - {BCC474BA-925D-5EE7-504D-221CE3D894CF} - C:\WINNT\system32\vgmpxrqk.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CDFC68F4-8602-3D88-6431-149452EAAE6D} - C:\WINNT\system32\bakjcttf.dll (file missing)
O2 - BHO: (no name) - {D808DC85-8291-485C-0854-B3F922098B0D} - C:\WINNT\system32\jiznsbux.dll
O2 - BHO: (no name) - {D86B9A96-87C0-8BB1-AFA1-15E3A87480A1} - C:\WINNT\system32\bwxtnxcb.dll (file missing)
O2 - BHO: (no name) - {F781A32A-9B9D-9CB4-0292-89380AFC34C3} - C:\WINNT\System32\wuksxtnj.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: NetRez ADU v4,2,0,9 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
O16 - DPF: NetRez ADU v5,0,0,18 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
O16 - DPF: NetRez Client Installer - https://wam4.netrez1.netrez.com/classes/anasazi/ClientInstall.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak02.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://utell.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gcgr.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gcgr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gcgr.com
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Huey Server - Unknown - C:\Program Files\Huey\HueyServ.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I'm not sure what this is
O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe

I think it's a remote access or backdoor that might be legit or might be nasty. If you installed itb and know about bit OK, othrwise let us know and we'll fix it later

Download AdAware SE from http://www.lavasoft.de/support/download and install it if you haven't already got it. If you have it, then make sure tit updated and configured as described later in this post

Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0291BC0E-BB50-F188-35F3-65D41AAA4BD8} - C:\WINNT\system32\auqjpiwc.dll (file missing)
O2 - BHO: (no name) - {02A4ED9E-B636-4E36-567D-06E73C57EC16} - C:\WINNT\system32\dbnqaeij.dll
O2 - BHO: (no name) - {034F3E2E-4F69-D950-CDD2-B2C3B9F5E941} - C:\WINNT\system32\yafyezdh.dll (file missing)

O2 - BHO: (no name) - {0E4A6AC9-F611-F52A-B023-3E416EF4DC81} - C:\WINNT\System32\avjspgen.dll (file missing)
O2 - BHO: (no name) - {165AEE4D-D3B6-5273-33E0-D6E3DA994174} - C:\WINNT\system32\nxugvruq.dll (file missing)
O2 - BHO: (no name) - {18633838-A2A8-FCF0-8DB3-D460C99EFBE2} - C:\WINNT\System32\jjeaomcc.dll (file missing)
O2 - BHO: (no name) - {31286A52-6410-7CDE-92AA-35A17B128E15} - C:\WINNT\System32\xzkiffrz.dll (file missing)
O2 - BHO: (no name) - {372BC535-F7C7-7DE0-0D93-F75CE0408E84} - (no file)
O2 - BHO: (no name) - {39CB092F-A448-5A56-91AC-259D953098BE} - (no file)

O2 - BHO: (no name) - {7431DF5A-0201-2ECE-480F-87C055201DE8} - (no file)
O2 - BHO: (no name) - {82C1A097-FF84-92E7-BFF4-8F734088A41A} - (no file)
O2 - BHO: (no name) - {83BD3B11-E1F4-F1D2-8ED1-251773236F39} - C:\WINNT\system32\oxnvkcdc.dll (file missing)
O2 - BHO: (no name) - {8981EA67-8A4B-E696-E6D9-9621805A36B7} - C:\WINNT\system32\sqhdccns.dll (file missing)
O2 - BHO: (no name) - {8BB6336B-FAB0-0492-5AC7-1015FA8D6170} - C:\WINNT\System32\vfkctigl.dll (file missing)
O2 - BHO: (no name) - {A640F915-A2FE-2CAC-ED12-195BC0379E05} - C:\WINNT\system32\ibfwinsc.dll
O2 - BHO: (no name) - {A92A1024-E9C5-CEBA-86C6-DF79E3243A2E} - C:\WINNT\system32\pjarlxgg.dll (file missing)
O2 - BHO: (no name) - {BBDD5DC5-596A-7A54-7645-2A84A9649ADA} - C:\WINNT\system32\szsvvvrh.dll
O2 - BHO: (no name) - {BCC474BA-925D-5EE7-504D-221CE3D894CF} - C:\WINNT\system32\vgmpxrqk.dll

O2 - BHO: (no name) - {CDFC68F4-8602-3D88-6431-149452EAAE6D} - C:\WINNT\system32\bakjcttf.dll (file missing)
O2 - BHO: (no name) - {D808DC85-8291-485C-0854-B3F922098B0D} - C:\WINNT\system32\jiznsbux.dll
O2 - BHO: (no name) - {D86B9A96-87C0-8BB1-AFA1-15E3A87480A1} - C:\WINNT\system32\bwxtnxcb.dll (file missing)
O2 - BHO: (no name) - {F781A32A-9B9D-9CB4-0292-89380AFC34C3} - C:\WINNT\System32\wuksxtnj.dll

O16 - DPF: NetRez ADU v4,2,0,9 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
O16 - DPF: NetRez ADU v5,0,0,18 - file://C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
O16 - DPF: NetRez Client Installer - https://wam4.netrez1.netrez.com/cla...ientInstall.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://utell.webex.com/client/latest/webex/ieatgpc.cab


O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe


now run killbox and paste The FIRST ONE of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINNT\system32\msupd5.exe
C:\DOCUME~1\cdowney\LOCALS~1\Temp\NetRezADU.cab
C:\WINNT\System32\wuksxtnj.dll
C:\WINNT\system32\jiznsbux.dll
C:\WINNT\system32\vgmpxrqk.dll
C:\WINNT\system32\szsvvvrh.dll
C:\WINNT\system32\ibfwinsc.dll
C:\WINNT\system32\dbnqaeij.dll


Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"




then go to C:\winnt\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R27 55.02.2005 or a higher number/later date

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


Reboot &

Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds (when it finds things, please quarantine them rather than delete just in case as it is a beta and occasional False positives happen)

First press file and check for updates and then run it

Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

Run an online antivirus check from at least one and preferably 2 of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/onlineviruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

reboot again

please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

Anything inside the C:\!submit folder which is where killbox should have made copies of all the files it deleted


the easy way is first go to c:\!submit and select all the files inside it, rightclick and send to compressed folder, that will make a zipped copy of all the files and then upload the zipped copy

then post a new hijackthis log to check what is left
 

virtualgeorg

Thread Starter
Joined
Sep 9, 2003
Messages
320
Thanks Very Much!! My problems seem to be solved. I wanted to wait a few days to see how it worked but it seems to fine now and I will upload the files to your spykiller website when I am at that location again in a few days.

At this location there are about 20+ more computers that will need the same software installed. Can you suggest a way that could do this remotely from my home where I could connect to the pcs at night and do a remote desktop thing that would allow me to install programs & reboot the computers.

I use VNC or remote desktop in winxp sometimes but hear about security issues and I am not sure how I would log in back into the network after I re-booted remotely.

They are win2k workstations with a win2k advanced server.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top