Windows XP infected

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

notsmart913

Thread Starter
Joined
Jan 15, 2006
Messages
20
Hello Everyone:

For the past few months, my computer has been running incredibly slow on the internet. Besides using a dial-up connection, I think my computer is infected with many viruses and possibly trojans. I have ran numerous programs to remove some of these files, however, there are always more to delete. I have recently ran the program hijackthis and this is log provided:

Logfile of HijackThis v1.99.1
Scan saved at 7:32:54 PM, on 1/15/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Obfpof\Vlms.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Goookt\Flbf.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\SBCYAH~2\CONNEC~1\CONNEC~1.EXE
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Cleaner\SpywareCleaner.exe
C:\Documents and Settings\Bonnie\Local Settings\Temp\Temporary Directory 1 for hijackthis[2].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcy/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcy/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcy/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-4BF1-96CB-31F79610EF95} - C:\Program Files\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ijkl] C:\WINDOWS\ijkl.exe
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [Gnmgyw] C:\Program Files\Obfpof\Vlms.exe
O4 - HKLM\..\Run: [Qadiiyni] C:\Program Files\Goookt\Flbf.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {18A4B33C-209F-4C31-8DD6-9A595435DF87} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O17 - HKLM\System\CCS\Services\Tcpip\..\{4385F0F2-5E2E-46CC-B3A0-18B92E0C6F32}: NameServer = 151.164.1.8 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{4385F0F2-5E2E-46CC-B3A0-18B92E0C6F32}: NameServer = 151.164.1.8 206.13.28.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe

Thank You!!!!!!!
 

Squashman

Retired Trusted Advisor
Joined
Apr 4, 2003
Messages
19,786
Do not run HiJackThis from its Internet Location. Download and save the file to your hard drive first. Then run HiJackThis.
I see you haven't run Windows Update in like never. That usually helps protect your computer.
 
Joined
Jul 8, 2002
Messages
14,681
  • Please uninstall SpywareCleaner from Start>>Control Panel>>Add or Remove Programs, as the company behind it is known for using deceptive advertising to push its products
  • Go to Start>>Control Panel>>Add or Remove Program
  • Uninstall any of the following programs that appear in the list:

    Lycos
    IP InSight
    Viewpoint Manager

  • Move HijackThis to a permanent folder such as your Desktop
  • Run HijackThis and click Do a system scan only
  • Put a checkmark next to any of the following entries that appear, and click Fix Checked:

    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000000-0000-4BF1-96CB-31F79610EF95} - C:\Program Files\Lycos\IEagent\IEagent.dll (file missing)
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [ijkl] C:\WINDOWS\ijkl.exe
    O4 - HKLM\..\Run: [Gnmgyw] C:\Program Files\Obfpof\Vlms.exe
    O4 - HKLM\..\Run: [Qadiiyni] C:\Program Files\Goookt\Flbf.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
  • Exit HijackThis
  • Locate and delete any of the following files found on your computer:

    C:\WINDOWS\ijkl.exe
  • Locate and delete any of the following folders found on your computer:

    C:\Program Files\Obfpof\
    C:\Program Files\Goookt\
    C:\Program Files\Viewpoint\
    C:\Program Files\Spyware Cleaner\
  • Restart your computer
  • Please update your computer to Service Pack 1 and post a new HijackThis log
 

notsmart913

Thread Starter
Joined
Jan 15, 2006
Messages
20
Hello,
I have deleted the files on HijackThis as Brendan says, however, the Kapersky On-line Scan lists these infections/viruses:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 16, 2006 14:03:13
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/01/2006
Kaspersky Anti-Virus database records: 161028
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 32013
Number of viruses found: 19
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 3392 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Bonnie\Local Settings\Temporary Internet Files\Content.IE5\7KHZKBY7\optimize313[1].exe Infected: Trojan-Downloader.Win32.Dyfuca.ep
C:\Program Files\Goookt\Flbf.exe Infected: Trojan.Win32.Small.cy
C:\Program Files\Norton AntiVirus\Quarantine\342473F6 Infected: Net-Worm.Win32.Welchia.a
C:\Program Files\Norton AntiVirus\Quarantine\6173714A Infected: Trojan-Downloader.Win32.Small.mt
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP30\A0077999.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP30\A0078001.exe Infected: Trojan-Downloader.Win32.Dyfuca.cq
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP30\A0078002.exe Infected: Trojan-Downloader.Win32.Dyfuca.ep
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP30\A0078003.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{D6264364-70EA-4D04-9365-1CB293908FE4}\RP30\A0078004.exe Infected: Trojan.Win32.Small.cy
C:\WINDOWS\system32\calsdr.exe Infected: Trojan-Dropper.Win32.Small.ff
C:\WINDOWS\Temp\all_files9.exe/data0003/data0001.cab/DnldStub.exe Infected: Trojan-Downloader.Win32.Small.kl
C:\WINDOWS\Temp\all_files9.exe/data0003/data0001.cab Infected: Trojan-Downloader.Win32.Small.kl
C:\WINDOWS\Temp\all_files9.exe/data0003 Infected: Trojan-Downloader.Win32.Small.kl
C:\WINDOWS\Temp\all_files9.exe/data0004/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\Temp\all_files9.exe/data0004/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\Temp\all_files9.exe/data0004/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\Temp\all_files9.exe/data0004/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\Temp\all_files9.exe/data0004/data0008 Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\Temp\all_files9.exe/data0004/data0009 Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\Temp\all_files9.exe/data0004 Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\Temp\all_files9.exe/data0011 Infected: Trojan-Downloader.Win32.Agent.ec
C:\WINDOWS\Temp\all_files9.exe/data0013/data0002 Infected: Trojan-Downloader.Win32.Agent.ac
C:\WINDOWS\Temp\all_files9.exe/data0013/data0003 Infected: Trojan-Downloader.Win32.Turown.h
C:\WINDOWS\Temp\all_files9.exe/data0013/data0005 Infected: Trojan-Downloader.Win32.Turown.e
C:\WINDOWS\Temp\all_files9.exe/data0013/data0008 Infected: Trojan-Downloader.Win32.Turown.i
C:\WINDOWS\Temp\all_files9.exe/data0013/data0009 Infected: Trojan.Win32.VB.mr
C:\WINDOWS\Temp\all_files9.exe/data0013/data0011 Infected: Trojan-Downloader.Win32.Turown.c
C:\WINDOWS\Temp\all_files9.exe/data0013 Infected: Trojan-Downloader.Win32.Turown.c
C:\WINDOWS\Temp\all_files9.exe Infected: Trojan-Downloader.Win32.Turown.c
C:\WINDOWS\Temp\MemoryWatcher_b.exe/data0004 Infected: Backdoor.Win32.VB.oq
C:\WINDOWS\Temp\MemoryWatcher_b.exe/data0006 Infected: Backdoor.Win32.VB.nb
C:\WINDOWS\Temp\MemoryWatcher_b.exe Infected: Backdoor.Win32.VB.nb

Scan process completed.


Also, I have not downloaded any Microsoft Patches as they take a VERY long time with dial-up, as soon as I can fix these viruses, that will be the first thing I do.

Lastly, would it be okay to purchase things online with these viruses/infections? As in personal data security? Thanks Again!
 
Joined
Jul 8, 2002
Messages
14,681
I would wait until we get all these fixed before using your credit card, just in case.
Install and run CleanUp: http://www.stevengould.org/software/cleanup/
Disable then enable system restore: http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

And delete the C:\Program Files\Goookt\ folder, then everything should be fixed.

Microsoft will ship you a CD of the updates if you're willing to wait a while for it: http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top