Sign in to follow this  
Scottmotiger

Please help! Nasty malware problem!

Recommended Posts

Hi, I am new to this forum, but I am not new to the world of viruses and trojans, I just (sadly) have stumped everyone on every other forum I'm on.

 

I have searched your FAQs and not found any steps I have not yet tried, so I am posting a meticulously detailed explanation of my problem here so that maybe one of you can help me with it :) Thank you in advance!

 

Thursday -- my brother called for help because McAffee was giving him a message and he didn't understand exactly what it meant. The message was that a file had tried to use a "filemove" operation and that Mcaffee viewed this as high threat so I told McAffee to dissallow it. Shortly after, my PC began receiving about 20 to 30 popups per minute. I tried to use Cntrl+alt+del to close all iexplorer processes and turn off the computer, but cntrl+alt+del would not work. I opened Internet explorer and told my pop up blocker there to reject all popups (i'm a firefox user so I hadn't previously edited ie settings) and discovered that two sites had been added to the "allow list." Each time I re-opened ie they were re-added. I had to unplug my computer to turn it off. I rebooted in safe mode w/o networking and unplugged my computer from our network to ensure no other computers were infected. Cntrl+alt+del function now ONLY works in safe mode.

 

The first thing I did after this was to run a preliminary full ad-aware scan.

 

--------------------------------------------------------------

 

It found the following groups:

 

Adware.Look2me (2 objects total)

SurfSideKick (2 Objects Total)

VirtualBouncer (6 Objects Total)

Win32.Trojan.Downloader (2 Objects Total)

 

With the following individual files:

 

Adware.Look2Me Process Adware C:\Windows\system32\i4jq0e15eh.dll

SurfSideKick Regkey Data Miner HKEY_CLASSES_ROOT:clsid\{02ee5b04-f144-47bb-83fb-a60bd91b74a9

Virtual Bouncer Regkey Malware HEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon\notify\policies\

Virtual Bouncer Regkey Malware HEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon\notify\policies "DllName"

Virtual Bouncer Regkey Malware HEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon\notify\policies "Impersonate"

Virtual Bouncer Regkey Malware HEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon\notify\policies "Logon"

Virtual Bouncer Regkey Malware HEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon\notify\policies "Logoff"

Virtual Bouncer Regkey Malware HEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon\notify\policies "Shutdown"

Win32.Trojan.Downloader File Malware C:\System Volume Information\_restore{416CB326-BFB9-4525-A07D-2376D00F26F7}\RP280\A0031281.dll

Win32.Trojan.Downloader File Malware C:\System Volume Information\_restore{416CB326-BFB9-4525-A07D-2376D00F26F7}\RP280\A0031281.exe

Adware.Look2Me Regkey Adware HKEY_LOCAL_MACHINE:software\microsoft\windows nt\currentversion\winlogon\notify

SurfSideKick Folder Data Miner C:\program Files\SurfSideKick 3\

 

-----------------------------------------

 

However, I got the following message upon trying to delete them "Some objects could not be removed, try closing all open browser windows prior to the removal. If this does not help, reboot and run Ad-Aware again.

C:\Windows\System32\i4jq0e15eh.dll

Do you want to let Ad-Aware remove them after the next reboot?"

 

Whenever I receive this message, explorer encounters restarts. Keep in mind my computer doesn't restart, explorer just encounters an error and restarts inexplicably. If i'm not already IN explorer, explorer just starts on its own. Either way, I get the "windows is running in safe mode" message which is normal. After it starts, even the files which ad-aware was able to remove have returned. I cannot prevent it from starting. Even more interestingly, when it restarts, "My Documents" opens.

 

At this point I did what I always do with trojans, I used the "regedit" command. However, I now receive the message "regedit is not a valid win32 application" so whatever this trojan is, it's disabled my ability to take it out manually in that way. Clamwin found that the virus had made copies of itself and placed them in multiple hidden directories. It created an invisible "C:\Documents and Settings\Captain\My Documents\Morpheus Shared\Shared" directory in my morpheus files and hid 50 versions of itself in compressed folders all with different names. I'm assuming that this is how it spreads. It also sent copies of itself to Outlook Express which I never use. The following is a copy of the results from my original clamwin scan:

 

------------------------------------------------------

Scan started: Mon Jul 3 03:50:06 2006

 

ERROR: Can't open file C:\WINDOWS\SoftwareDistribution\EventCache\4033692E-A2CC-4D44-AE4F-76633195FE0B.bin

ERROR: Can't open file C:\WINDOWS\system32\config\default

ERROR: Can't open file C:\WINDOWS\system32\config\SAM

ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY

ERROR: Can't open file C:\WINDOWS\system32\config\software

ERROR: Can't open file C:\WINDOWS\system32\config\system

ERROR: Can't open file C:\WINDOWS\system32\drivers\dtscsi.sys

ERROR: Can't open file C:\WINDOWS\system32\drivers\sptd.sys

ERROR: Can't open file C:\WINDOWS\system32\drivers\sptd5565.sys

ERROR: Can't open file C:\WINDOWS\system32\fpn8035ue.dll

ERROR: Can't open file C:\WINDOWS\system32\jtju0719e.dll

 

C:\Documents and Settings\Captain\Local Settings\Temp\!update.exe: Trojan.PurityScan.BJ FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\ac2_0004.exe: Trojan.Downloader.Small-1610 FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\i23.tmp: Adware.SurfSide-2 FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\NNCLXA638.EXE: Adware.NewDotNet.B FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\pre.exe: Worm.Tenga.A FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\temp.fr21BA: Adware.Lookme-26 FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\temp.fr3C11: Trojan.Downloader.VB-104 FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\temp.frAAA4: Adware.CommAd-2 FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\temp.frEA19: Adware.Lookme-26 FOUND

C:\Documents and Settings\Captain\Local Settings\Temp\Temporary Internet Files\Content.IE5\CDIBSX2B\103[1].avi: Trojan.Downloader.TSUp-12 FOUND

C:\Documents and Settings\Captain\Local Settings\Temporary Internet Files\Content.IE5\IV1LPNEA\NNSCAA638[1].EXE: Adware.NewDotNet.B FOUND

C:\Documents and Settings\Captain\Local Settings\Temporary Internet Files\Content.IE5\JUOJN94D\104[1].avi: Trojan.Downloader.Small-945 FOUND

C:\Documents and Settings\Captain\Local Settings\Temporary Internet Files\Content.IE5\K08XWZAP\!update-4020[1].0000: Trojan.PurityScan.BJ FOUND

C:\Documents and Settings\Captain\Local Settings\Temporary Internet Files\Content.IE5\V5L13QQJ\numbsoft[1].exe: Worm.Tenga.A FOUND

C:\Documents and Settings\Captain\My Documents\Morpheus Shared\Downloads\Age Of Empires 3 Keygen Crack Key Code exe.zip: Trojan.VB-100 FOUND

C:\NNSCAA638.EXE: Adware.NewDotNet.B FOUND

C:\numbsoftnew.exe: Worm.Tenga.A FOUND

C:\Program Files\NewDotNet\newdotnet6_38.dll_tobedeleted: Adware.NewDotNet.B FOUND

C:\Program Files\NewDotNet\newdotnet7_22.dll: Adware.NewDotNet.I FOUND

C:\Program Files\outlook\outlook.exe: Trojan.VB-100 FOUND

C:\WINDOWS\system32\guard.tmp: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\winlogon.dll: Trojan.PurityScan.EN FOUND

-- summary --

Known viruses: 60743

Engine version: 0.88

Scanned directories: 5811

Scanned files: 72868

Infected files: 109

 

Data scanned: 37470.22 MB

Time: 13949.199 sec (232 m 29 s)

-------------------

Completed

--------------------------------------------------------

 

I disabled system restore. I then manually went into a few of the hidden directories and deleted the copies it had made of itself. The next thing I did was run stinger. Stinger found 12 infections and claimed to have removed all of them. I ran a symantec sysclean which claimed to find the same 12 infections and remove them, followed finally by yet another clamwin. These were my results for the final clamwin run. As you can see, fewer files remain but they are all still in my registries which i CANNOT ACCESS because "regedit" has been somehow disabled. These are the same 12 Stinger and Sysclean both claimed to take care of. Ad-aware still encounters the same errors and gives me the same reports as before, explorer still restarts as before, even in safemode, even after all three scanners have been run. The final clamwin run produced these results:

 

--------------------------------------

Scan started: Mon Jul 3 21:27:45 2006

 

C:\Program Files\outlook\outlook.exe: Removed

C:\Program Files\outlook\p.zip: Removed

C:\Program Files\outlook\v.tmp: Removed

C:\WINDOWS\system32\ausmsext.dll: Removed

C:\WINDOWS\system32\cgbcatex.dll: Removed

ERROR: Can't open file C:\WINDOWS\system32\config\default

ERROR: Can't open file C:\WINDOWS\system32\config\SAM

ERROR: Can't open file C:\WINDOWS\system32\config\SECURITY

ERROR: Can't open file C:\WINDOWS\system32\config\software

ERROR: Can't open file C:\WINDOWS\system32\config\system

ERROR: Can't open file C:\WINDOWS\system32\drivers\dtscsi.sys

ERROR: Can't open file C:\WINDOWS\system32\drivers\sptd.sys

ERROR: Can't open file C:\WINDOWS\system32\drivers\sptd5565.sys

C:\WINDOWS\system32\dzdmo.dll: Removed

C:\WINDOWS\system32\guard.tmp: Removed

C:\WINDOWS\system32\guard.tmp_tobedeleted: Removed

C:\WINDOWS\system32\hrn4055qe.dll: Removed

ERROR: Can't open file C:\WINDOWS\system32\i4jq0e15eh.dll

ERROR: Can't open file C:\WINDOWS\system32\mv26l9fs1.dll

C:\WINDOWS\system32\nqtapi32.dll: Removed

C:\WINDOWS\system32\p6p6lg7s16.dll: Removed

ERROR: Can't open file C:\WINDOWS\system32\wmdconns.dll

C:\WINDOWS\system32\wyd_ci.dll: Removed

 

C:\Program Files\outlook\outlook.exe: Trojan.VB-100 FOUND

C:\Program Files\outlook\p.zip: Trojan.VB-100 FOUND

C:\Program Files\outlook\v.tmp: Trojan.VB-100 FOUND

C:\WINDOWS\system32\ausmsext.dll: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\cgbcatex.dll: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\dzdmo.dll: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\guard.tmp: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\guard.tmp_tobedeleted: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\hrn4055qe.dll: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\nqtapi32.dll: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\p6p6lg7s16.dll: Adware.Lookme-26 FOUND

C:\WINDOWS\system32\wyd_ci.dll: Adware.Lookme-26 FOUND

-- summary --

Known viruses: 60743

Engine version: 0.88

Scanned directories: 5805

Scanned files: 73792

Infected files: 12

 

Data scanned: 39044.24 MB

Time: 27499.507 sec (458 m 19 s)

-------------------

Completed

-------------------

 

Symantec and Clamwin and Stinger each appear to be finding these exact same 12 infections. Each time they claim to remove them but the files have returned by the next scan. I cannot fix this manually. Now, "Surfsidekick 3" (one of the recurring programs which ad-aware removes and which returns after explorer restarts) IS detected and removed by Blacklist but it is the only program affected by Blacklist and as you can see here, the exe file for it CANNOT be deleted, only the registry values. any attempt at manually removes it results in a typical "bla bla bla being used by another person or program." The next time blacklist is run, the registry values have returned and it has to delete them again. They are being automatically replaced. I get the following every single time I run blacklist:

 

------------------------------

 

Detected: C:\Program Files\SurfSideKick 3\Ssk.exe

Could not delete file: C:\Program Files\SurfSideKick 3\Ssk.exe

Deleted Registry value: HKCU\...\Run SurfSideKick 3

Deleted Registry value: HKLM\...\Run SurfSideKick 3

 

--------------------------------

 

Jay Loden's aimfix has found no viruses applicable to aim.

I have run winsock after running all three virus scanners and this has made no difference.

My McAffee virus scan is about a year out of date

I mainly use the default windows firewall

Stinger/Clamwin/Symantec were all up-to-date as of late this april

 

Please keep in mind any solutions involving the command "regedit" are not on the table, as this trojan has somehow managed to shut down that system32 application. Winsock does not restore my ability to use "regedit." I should also note that spybot encounters the same problems as ad-aware (not surprisingly).

 

I clamwin scanned a fourth time and this time, out of the blue:

 

-----------------------------------------

Infected files: 0

 

Data scanned: 39044.60 MB

Time: 27746.470 sec (462 m 26 s)

-----------------------------------------

 

Which is even more troubling because when I run ad-aware i STILL get the same results except for:

 

-----------------------------------

Win32.Trojan.Downloader File Malware C:\System Volume Information\_restore{416CB326-BFB9-4525-A07D-2376D00F26F7}\RP280\A0031281.dll

Win32.Trojan.Downloader File Malware C:\System Volume Information\_restore{416CB326-BFB9-4525-A07D-2376D00F26F7}\RP280\A0031281.exe

-----------------------------------

These two are now mysteriously gone. I again got the same message "Some objects could not be removed, try closing all open browser windows prior to the removal. If this does not help, reboot and run Ad-Aware again.

C:\Windows\System32\i4jq0e15eh.dll

Do you want to let Ad-Aware remove them after the next reboot?"

 

And explorer itself restarted -- as usual. Keep in mind my computer is not restarting, only explorer itself. It inexplicably closes and up pops the "Windows is running in safemode message" as it restarts. And as usual, "My Documents" mysteriously opened. I ran adaware AGAIN and the results were exactly the same. Stinger and sysclean have now both cleared me of any trojan infections. I should also note that my computer now freezes each time i turn it off from normal mode and it now encounters errors opening bizzarrely named ".dll" files each time windows starts.

 

 

My computer is useless with this thing on it -- I can't do anything while closing 30 pop ups per minute. Please help!I should also note that it drastically slows down my computer even beyond the drag of normal browser-opening. It has also turned my clock to "military" time (eg 23:58 instead of 11:58 pm). I should also note that restarting after running adaware does not help because adaware fails to open upon restarting and thus doesn't take care of anything.

Share this post


Link to post
Share on other sites

I have also run hijackthis which encountered an error and was unable to fix the problem. i have run cwshredder with no help from it. i have also run the wwwcoolwebsearch remover (this is just getting desperate)

 

I have also run hijackthis which encountered an error and was unable to fix the problem. i have run cwshredder with no help from it. i have also run the wwwcoolwebsearch remover (this is just getting desperate). Now that I have logged back online (shut-down all P2Ps, outlook, and all messenger applications to be safe), I have learned two new things. It continually directs me to websites disguised as fixes with fake names like "stopzilla" and "winantispy2006." These sites download additional spyware and adware without my authorization. They have also gone so far as to somehow place links on my desktop to online instances of what i can only assume are additional viruses.

Share this post


Link to post
Share on other sites

I have an update on my problem from Hijackthis. Following is a description of the file which is named each time adaware encounters an error.

 

"Some objects could not be removed, try closing all open browser windows prior to the removal. If this does not help, reboot and run Ad-Aware again.

C:\Windows\System32\i4jq0e15eh.dll

Do you want to let Ad-Aware remove them after the next reboot?"

 

 

 

020 - Winlogon Notify: Explorer - C:\Windows\System32\i4jq0e15eh.dll

 

Detailed information on item 020:

 

Files specified in the AppInit_DLLs Registry value are loaded very early in Windows startup and stay in memory until system shutdown. This way of loading a .dll is hardly ever used, except by trojans. The WinLogon Notify Registry subkeys load dll files into memory at about the same point in the boot process, keeping them loaded into memory until the session ends. Apart from several Windows system components, the programs VX2, ABetterInternet and Look2Me use this Registry key. Since both methods ensure the dll file stays loaded in memory the entire time, fixing this won't help if the dll puts back the Registry value or key immediately. In such cases, the use of the 'Delete file on reboot' function or KillBox is recommended to first delete the file.

 

(Action taken for AppInit_DLLs: Registry Value is cleared, but not deleted.)

(Action taken for Winlogon Notify: Registry key is deleted)

 

 

I have used Killbox with "delete on restart" and unfortunately the dll is immediately replaced by one just like it which causes adaware the same error. the only thing which is different is the name.

C:\WINDOWS\system32\gpr8l39u1.dll

C:\Windows\system32\nvj0291mg.dll

C:\Windows\system32\n06q0aj5edo.dll

 

I do not understand how this file is being replaced but it is and i have a feeling it's at the heart of the "look2me" problem. Every time I attempt to delete "adware.look2me" in adaware, I encounter that particular error. I'm sure that they are related, and HT seems to support this. Also, each time I delete it windows closes a file about 10 minutes after starting called "Run DLL as executable" and gives me notice of its choice to close that file due to inappropriate use of memory.

 

I should also note that, obviously, every version of the "look2me" trojan/spyware/adware remover i have downloaded has either

 

A. not worked

or

B. caused my computer to restart repeatedly half way through for no apparent reason

 

(were this not the case, i would never have posted this)

 

OK -- I have actually solved my own problem! This may come in handy to someone else or it may not so you can delete this thread or keep it or whatever, but here's how I eventually fixed it. One of the registry keys acts as a failsafe for the trojan in case you start to remove it. WHEN USING THE TROJAN PORTION OF THE REMOVAL TOOL, DELETE REGISTRIES BACKWARDS. This is the solution that finally worked for me. Again, sorry if this thread is in any way redundant!

Share this post


Link to post
Share on other sites

Scottmotiger,

 

Do you still need help? You have a lot of very difficult to remove infections going on there and some of them require a special tool.

 

If you still are having problems, please post a "HijackThis" log into your topic here.

Instructions on creating a HijackThis Log

http://www.lavasoftsupport.com/index.php?showtopic=216

Share this post


Link to post
Share on other sites

I'm pretty sure I got it. Ad-aware and Spybot were able to fully remove everything they detected after i removed the infected registries backwards and hijack this is no longer showing the winlogon as a threat. the pop ups have also stopped and my computer has returned back to its normal speed. However, i still cannot use the "regedit" function. i receive an error. is there anything i can do to fix this?

Share this post


Link to post
Share on other sites

One of the infections was Look2me which is known to make certain changes to settings in the registry. The fix tool here will fix those and then we'll see what is left. I also really need to see a fresh HijackThis log.

 

Please download Look2Me-Destroyer.exe to your desktop.

  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Share this post


Link to post
Share on other sites

The way I got rid of it was by running a variant of that program called L2MRemover which is based on Pest Patrol. As I mentioned above, the reason it didn't initially succeed was because i had to remove the registries backwards to avoid tripping a failsafe.

Share this post


Link to post
Share on other sites

Following the removal of my last trojan (look2me) my processor was always running at 100% and my computer has been insanely slow. I no longer have the pop-ups but everything i do lags. I have downloaded multiple different programs and one of them reported to me that i have all of the following serious infections:

 

Maxifiles

Holystic.AP

SurfSideKick

TargetSavers

WurldMedia

AdRotator

LinkMaker Hijacker

Backdoor.Rbot.Gen

InternetOptimizer

BookedSpace

ClkOptimizer

Webhancer

Infotel srl

Yazzle Cowabanga

Trojan.Downloader.Small.CML

Network Monitor

 

These are all ranked as very serious infections by spydoctor. But here's the problem: several of these are supposed to be removable through "add/remove programs" and others are supposed to be vulnerable to Xoftspy remover and Spyhunter. However, these programs have failed to detect any of them. I have destroyed all C: files that i could using killbox. The rest are all HKey registries (HKLM/HKCU/etc.) How can I get rid of the HKey registries? The following programs have all failed to be helpful in this regard-

 

KillBox

Hijack This

Clamwin

Blacklist

Winsock Repair Tool

Symantec Sysclean

Stinger

CWShredder

Coolwwwsearch removal tool

VundoFix

AVG Antivirus

Tweaknow Registry Cleaner

Look2me Destroyer

Xoftspy

Spyhunter

Spybot

and of course Adaware

 

-and there are several hundred HKey values, there's no way I can change them all myself. I WAS able to get my regedit command to work again by deleting the process blocking it with killbox, but still. Any suggestions? My guess is that look2me downloaded all these other nasty things. Please help! I have included hijackthis logs and the results from my last clamwin scan below.

 

HJT

 

Logfile of HijackThis v1.99.1

Scan saved at 3:25:50 AM, on 7/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Common Files\{2C9BB2BF-0828-1033-0804-040312240001}\Update.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Messenger\MSMSGS.EXE

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Captain\Desktop\hijackthis\HijackThis.exe

 

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

 

CLAMWIN

 

--------------------------------------

Scan started: Wed Jul 19 14:36:43 2006

 

C:\!KillBox\winword.exe: Removed

C:\!KillBox\XPLORE~1.EXE: Removed

C:\!KillBox\XPLORE~1.EXE( 1): Removed

ERROR: Can't open file C:\Documents and Settings\Captain\Local Settings\Temporary Internet Files\Content.IE5\4HK0MQG5\ac3_0003[1].exe

ERROR: Can't open file C:\Documents and Settings\Captain\Local Settings\Temporary Internet Files\Content.IE5\IV1LPNEA\visfx500[1].exe

ERROR: Can't open file C:\Documents and Settings\Captain\Local Settings\Temporary Internet Files\Content.IE5\K08XWZAP\626_101[1].exe

ERROR: Can't open file C:\pagefile.sys

ERROR: Can't open file C:\WINDOWS\SoftwareDistribution\EventCache\1EBD8433-B49D-42A9-9DF3-E1D9DD605C91.bin

ERROR: Can't open file C:\WINDOWS\system32\drivers\dtscsi.sys

ERROR: Can't open file C:\WINDOWS\system32\drivers\sptd.sys

ERROR: Can't open file C:\WINDOWS\system32\drivers\sptd5565.sys

 

C:\!KillBox\winword.exe: Trojan.PurityScan.BJ FOUND

C:\!KillBox\XPLORE~1.EXE: Trojan.PurityScan.EN FOUND

C:\!KillBox\XPLORE~1.EXE( 1): Trojan.PurityScan.EN FOUND

-- summary --

Known viruses: 62073

Engine version: 0.88.3

Scanned directories: 5921

Scanned files: 73651

Infected files: 3

 

Data scanned: 39214.42 MB

Time: 46374.188 sec (772 m 54 s)

--------------------------------------

Completed

--------------------------------------

Share this post


Link to post
Share on other sites

Apologies for the late reply, we are a bit backlogged here as you can probably see.

 

Are you still needing help? I merged your latest post into this older topic as it appears your problems are not resolved yet.

 

I'm now subscribed to this thread and if you reply back here, I'll get an automated notice of your response and get back to you very quickly now.

 

I'll be glad to help if you still need us.

 

I'll need a fresh log from your Adaware Scan and a fresh HijackThis log please.

Share this post


Link to post
Share on other sites
Sign in to follow this