1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

win xp virus please help

Discussion in 'Windows XP' started by buckshot1977, Aug 8, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. buckshot1977

    buckshot1977 Thread Starter

    Joined:
    Mar 13, 2006
    Messages:
    8
    my pc has a virus that as soon as you log into win xp that you covers the desk top and will not let you view the desk top it wants me to in stall there software and i know thats not good it from spyware soilder i beleave.

    here is a log file i hope it helps

    Logfile of HijackThis v1.99.1
    Scan saved at 9:26:15 PM, on 8/7/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\smartdrv.exe
    C:\WINDOWS\system32\officescan.exe
    C:\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: (no name) - {3BA0110D-EE46-03E4-8723-6D557FF7791E} - C:\WINDOWS\system32\hxmaitqo.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {61BDA913-158A-1850-FD2E-1D944E9D8ABA} - C:\WINDOWS\system32\fvdeptpk.dll
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\SYSTEM32\win32hp.dll
    O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0 .dll
    O4 - HKLM\..\Run: [win32hlp] C:\WINDOWS\system32\win32hlp.exe
    O4 - HKLM\..\Run: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [e46f6f149d9] C:\WINDOWS\System32\e46f6f149d9.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\RunServices: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKCU\..\Run: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKCU\..\Run: [e46f6f149d9] C:\WINDOWS\System32\e46f6f149d9.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: WindowInstallSystem (e46f6f149d9svr) - Unknown owner - C:\WINDOWS\e46f6f149d9.exe
    O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)


    thank you all for your time and help
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    Hi and welcome to TSG,

    Please download SmitfraudFix (by S!Ri)

    Extract (unzip) the content (a folder named SmitfraudFix) to your Desktop. This is imperative for the tool to function properly. If using a utility such as winzip you will have to direct it there as it will not unzip to the desktop by default. The desination location should look like this (C: being your primary drive): C:\Documents and Settings\User\Desktop\SmitfraudFix

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. buckshot1977

    buckshot1977 Thread Starter

    Joined:
    Mar 13, 2006
    Messages:
    8
    thank you verry much i will give this a try an get back to you soon. thankyou for your time and help.
     
  4. buckshot1977

    buckshot1977 Thread Starter

    Joined:
    Mar 13, 2006
    Messages:
    8
    ok here is the log file and it does not look good to me.

    SmitFraudFix v2.81

    Scan done at 11:48:46.87, Tue 08/08/2006
    Run from C:\Documents and Settings\All Users\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\bg_bg.gif FOUND !
    C:\WINDOWS\big_red_x.gif FOUND !
    C:\WINDOWS\buy_now.gif FOUND !
    C:\WINDOWS\click_for_free_scan.gif FOUND !
    C:\WINDOWS\close_ico.gif FOUND !
    C:\WINDOWS\download.gif FOUND !
    C:\WINDOWS\download_product.gif FOUND !
    C:\WINDOWS\free_scan_red_btn.gif FOUND !
    C:\WINDOWS\icon_warning_big.gif FOUND !
    C:\WINDOWS\infected.gif FOUND !
    C:\WINDOWS\infected_top_bg.gif FOUND !
    C:\WINDOWS\logo.gif FOUND !
    C:\WINDOWS\navibar_bg.gif FOUND !
    C:\WINDOWS\navibar_corner_left.gif FOUND !
    C:\WINDOWS\navibar_corner_right.gif FOUND !
    C:\WINDOWS\product_box.gif FOUND !
    C:\WINDOWS\red_warning_ico.gif FOUND !
    C:\WINDOWS\remove_spyware_header.gif FOUND !
    C:\WINDOWS\safe_and_trusted.gif FOUND !
    C:\WINDOWS\spyware_detected.gif FOUND !
    C:\WINDOWS\System32fab.exe FOUND !
    C:\WINDOWS\win_logo.gif FOUND !
    C:\WINDOWS\yellow_warning_ico.gif FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\migicons.exe FOUND !
    C:\WINDOWS\system32\mshtml32.tdb FOUND !
    C:\WINDOWS\system32\office_pnl.dll FOUND !
    C:\WINDOWS\system32\officescan.exe FOUND !
    C:\WINDOWS\system32\smaexp32.dll FOUND !
    C:\WINDOWS\system32\winblsrv.dll FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brian Hillard\Application Data

    C:\Documents and Settings\Brian Hillard\Application Data\Install.dat FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BRIANH~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="C:\\DOCUME~1\\BRIANH~1\\LOCALS~1\\Temp\\66e9710c5.html"
    "SubscribedURL"="C:\\DOCUME~1\\BRIANH~1\\LOCALS~1\\Temp\\66e9710c5.html"
    "FriendlyName"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    once agian thank you al for the help
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    Please download SmitfraudFix (by S!Ri)

    Extract (unzip) the content (a folder named SmitfraudFix) to your Desktop. This is imperative for the tool to function properly. If using a utility such as winzip you will have to direct it there as it will not unzip to the desktop by default. The desination location should look like this (C: being your primary drive): C:\Documents and Settings\User\Desktop\SmitfraudFix

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  6. buckshot1977

    buckshot1977 Thread Starter

    Joined:
    Mar 13, 2006
    Messages:
    8
    so you need me to run it again
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    Whoops! Sorry. No, we need to run option 2 now.


    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  8. buckshot1977

    buckshot1977 Thread Starter

    Joined:
    Mar 13, 2006
    Messages:
    8
    thank you very much for all your help and time. this means alot to me. and no problem with the miss print i figured run just the scan agian was right lol. i understand it's still yearly to me too.
     
  9. buckshot1977

    buckshot1977 Thread Starter

    Joined:
    Mar 13, 2006
    Messages:
    8
    ok done with that here is the new smit log:

    SmitFraudFix v2.81

    Scan done at 12:29:21.90, Tue 08/08/2006
    Run from C:\Documents and Settings\All Users\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\bg_bg.gif Deleted
    C:\WINDOWS\big_red_x.gif Deleted
    C:\WINDOWS\buy_now.gif Deleted
    C:\WINDOWS\click_for_free_scan.gif Deleted
    C:\WINDOWS\close_ico.gif Deleted
    C:\WINDOWS\download.gif Deleted
    C:\WINDOWS\download_product.gif Deleted
    C:\WINDOWS\free_scan_red_btn.gif Deleted
    C:\WINDOWS\icon_warning_big.gif Deleted
    C:\WINDOWS\infected.gif Deleted
    C:\WINDOWS\infected_top_bg.gif Deleted
    C:\WINDOWS\logo.gif Deleted
    C:\WINDOWS\navibar_bg.gif Deleted
    C:\WINDOWS\navibar_corner_left.gif Deleted
    C:\WINDOWS\navibar_corner_right.gif Deleted
    C:\WINDOWS\product_box.gif Deleted
    C:\WINDOWS\red_warning_ico.gif Deleted
    C:\WINDOWS\remove_spyware_header.gif Deleted
    C:\WINDOWS\safe_and_trusted.gif Deleted
    C:\WINDOWS\spyware_detected.gif Deleted
    C:\WINDOWS\System32fab.exe Deleted
    C:\WINDOWS\win_logo.gif Deleted
    C:\WINDOWS\yellow_warning_ico.gif Deleted
    C:\WINDOWS\system32\migicons.exe Deleted
    C:\WINDOWS\system32\mshtml32.tdb Deleted
    C:\WINDOWS\system32\office_pnl.dll Deleted
    C:\WINDOWS\system32\officescan.exe Deleted
    C:\WINDOWS\system32\smaexp32.dll Deleted
    C:\WINDOWS\system32\smartdrv.exe Deleted
    C:\WINDOWS\system32\winblsrv.dll Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    ok and now here is the new highjack log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:37:38 PM, on 8/8/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\All Users\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: (no name) - {3BA0110D-EE46-03E4-8723-6D557FF7791E} - C:\WINDOWS\system32\hxmaitqo.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {61BDA913-158A-1850-FD2E-1D944E9D8ABA} - C:\WINDOWS\system32\fvdeptpk.dll
    O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\SYSTEM32\win32hp.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [win32hlp] C:\WINDOWS\system32\win32hlp.exe
    O4 - HKLM\..\Run: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [e46f6f149d9] C:\WINDOWS\System32\e46f6f149d9.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\RunServices: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKCU\..\Run: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKCU\..\Run: [e46f6f149d9] C:\WINDOWS\System32\e46f6f149d9.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: WindowInstallSystem (e46f6f149d9svr) - Unknown owner - C:\WINDOWS\e46f6f149d9.exe
    O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)

    once again thank you very much.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.



    • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run Ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
    • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


    • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
      IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process. Be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close Ewido and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.
     
  11. buckshot1977

    buckshot1977 Thread Starter

    Joined:
    Mar 13, 2006
    Messages:
    8
    ok i am going to put that pc back online. i will post back as soon asit is done.

    thankyou so very much for everything that you have done for me.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
  13. buckshot1977

    buckshot1977 Thread Starter

    Joined:
    Mar 13, 2006
    Messages:
    8
    ok here are the new logs


    Ewido:

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 4:30:44 PM 8/8/2006

    + Scan result:



    HKLM\SOFTWARE\Dsi -> Adware.Delfin : No action taken.
    C:\WINDOWS\SYSTEM32\wsxsvc\wsx.dll -> Adware.DelphinMediaViewer : No action taken.
    C:\WINDOWS\SYSTEM32\ezPopStub.exe -> Adware.EZula : No action taken.
    C:\WINDOWS\woinstall.exe -> Adware.EZula : No action taken.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : No action taken.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Adware.Gator : No action taken.
    C:\Program Files\backups\backup-20040906-213250-430.dll -> Adware.Midaddle : No action taken.
    C:\Program Files\backups\backup-20040906-214103-212.dll -> Adware.Midaddle : No action taken.
    C:\Program Files\backups\backup-20040906-221044-141.dll -> Adware.Midaddle : No action taken.
    C:\Program Files\backups\backup-20040906-230024-292.dll -> Adware.Midaddle : No action taken.
    C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : No action taken.
    C:\WINDOWS\SYSTEM32\wіnspool.exe -> Adware.PurityScan : No action taken.
    HKLM\SOFTWARE\Classes\SearchSafe.SearchSafeToolBar -> Adware.SafeSearch : No action taken.
    HKLM\SOFTWARE\Classes\SearchSafe.SearchSafeToolBar.1 -> Adware.SafeSearch : No action taken.
    HKLM\SOFTWARE\Classes\SearchSafe.SearchSafeToolBar\CLSID -> Adware.SafeSearch : No action taken.
    HKLM\SOFTWARE\Classes\SearchSafe.SearchSafeToolBar\CurVer -> Adware.SafeSearch : No action taken.
    C:\Program Files\MaxSpeed -> Adware.SideFind : No action taken.
    HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : No action taken.
    C:\Program Files\Internet Explorer\lock.exe -> Downloader.Delf.ang : No action taken.
    C:\WINDOWS\SYSTEM32\hyvobyio.exe -> Downloader.VB.aeq : No action taken.
    C:\WINDOWS\SYSTEM32\jyjfrjed.exe -> Downloader.VB.afr : No action taken.
    C:\WINDOWS\SYSTEM32\stbyxbxt.exe -> Downloader.VB.afr : No action taken.
    C:\WINDOWS\SYSTEM32\0.5616419.exe -> Downloader.VB.ajv : No action taken.
    C:\dialler.exe -> Heuristic.Win32.Dialer : No action taken.
    C:\gwvoe.exe -> Hijacker.Costrat.g : No action taken.
    C:\Documents and Settings\Brian Hillard\Cookies\brian [email protected][1].txt -> TrackingCookie.Statcounter : No action taken.
    C:\WINDOWS\YEA.REG -> Trojan.LowZones.a : No action taken.
    C:\WINDOWS\mt.exe/trofkz.REG -> Trojan.LowZones.a : No action taken.
    C:\WINDOWS\SYSTEM32\1310.exe -> Trojan.Regger.s : No action taken.
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00026.dll -> Trojan.Sinowal.ae : No action taken.
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00027.dll -> Trojan.Sinowal.ae : No action taken.
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00028.dll -> Trojan.Sinowal.ae : No action taken.
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00029.dll -> Trojan.Sinowal.ae : No action taken.
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00030.dll -> Trojan.Sinowal.ae : No action taken.
    C:\irckuw.exe -> Trojan.Sinowal.ae : No action taken.
    C:\WINDOWS\SYSTEM32\vzfxicsz.exe -> Trojan.Small : No action taken.


    ::Report end



    panda:


    Incident Status Location

    Spyware:spyware/marketscore Not disinfected c:\windows\system32\osmim.dll
    Adware:adware/savenow Not disinfected c:\windows\system32\datastore.dll
    Adware:adware/comet Not disinfected c:\windows\downloaded program files\dm.inf
    Adware:adware/msview Not disinfected c:\windows\inf\MSView.inf
    Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf
    Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf
    Adware:adware/delfinmedia Not disinfected c:\keys.ini
    Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Brian Hillard\Application Data\tvmknwrd.dll
    Adware:adware program Not disinfected c:\windows\ss3unstl.exe
    Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
    Adware:adware/sidesearch Not disinfected c:\windows\sepsd.bin
    Adware:adware/mediatickets Not disinfected Windows Registry
    Potentially unwanted tool:application/adwaresheriff Not disinfected hkey_current_user\software\ADV
    Adware:adware/dyfuca Not disinfected Windows Registry
    Adware:adware/ist.istbar Not disinfected Windows Registry
    Adware:adware/memorywatcher Not disinfected Windows Registry
    Adware:adware/downloadware Not disinfected Windows Registry
    Adware:adware/iedriver Not disinfected Windows Registry
    Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\flashtlk.inf
    Adware:Adware/WUpd Not disinfected C:\WINDOWS\hi.html
    Adware:Adware/WUpd Not disinfected C:\Program Files\backups\backup-20040906-221423-706.inf
    Adware:Adware/MediaTickets Not disinfected C:\Program Files\backups\backup-20040906-221424-697.inf
    Adware:Adware/MediaTickets Not disinfected C:\Program Files\backups\backup-20040906-221424-697
    Virus:Trj/Wupi.H Disinfected C:\wbop.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\All Users\Desktop\SmitfraudFix\Process.exe
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Brian Hillard\Cookies\brian [email protected][2].txt
    Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Brian Hillard\Application Data\rasd\ctxad-263.0000[NDrv.dll]
    Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt



    and then here is the highjak log:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:21:04 PM, on 8/8/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\All Users\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: (no name) - {3BA0110D-EE46-03E4-8723-6D557FF7791E} - C:\WINDOWS\system32\hxmaitqo.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {61BDA913-158A-1850-FD2E-1D944E9D8ABA} - C:\WINDOWS\system32\fvdeptpk.dll (file missing)
    O2 - BHO: (no name) - {87185E78-A61B-4DB3-965A-3235BBD7A622} - C:\WINDOWS\SYSTEM32\win32hp.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [win32hlp] C:\WINDOWS\system32\win32hlp.exe
    O4 - HKLM\..\Run: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [e46f6f149d9] C:\WINDOWS\System32\e46f6f149d9.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\RunServices: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKCU\..\Run: [updwebmin] c:\windows\system32\updwebmin.exe
    O4 - HKCU\..\Run: [e46f6f149d9] C:\WINDOWS\System32\e46f6f149d9.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: WindowInstallSystem (e46f6f149d9svr) - Unknown owner - C:\WINDOWS\e46f6f149d9.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)

    well here is everything. thank you for your help. it is starting to get better still have the red screen but at least now it opens in a web browser instead of covering my desktop. i am sure you don't know how much this help you have giving me means but i am really thankful. i was afraid i was going to have to do a full reinstall.
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    You need to rescan with Ewido and follow the instructions I posted carefully so that it quarantines the items as no action was taken.

    Download win32delfkil.exe.
    Save it on your desktop.

    Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.

    Close all windows then open the win32delfkil folder and double click on fix.bat. The computer will reboot automatically.

    Post the contents of the log file c:\windelf.txt, along with a new HijackThis log.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/490391

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice