Win32:trojan-gen. {VC}

Discussion in 'adware, spyware & hijack cleaning' started by hdizzy, Apr 14, 2004.

Thread Status:
Not open for further replies.
  1. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    how do i get rid of this virus?!!
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hdizzy, and welcome.

    We do need a bit more information to help you better. Can you tell us what operating system you have; what antivirus you are using; what is the name of the infected files, and where the infected files are located?

    Regards,

    snap
     
  3. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    using windows XP Pro
    using avast 4 home edtition
    infected file-C:\Documents and Settings\Hans\Local Settings\Temp\Belt.ca
    I just scaned all my files again and found another trojan and a few more loader viruses, should i consider refomatting my computer?
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hdizzy,

    You can try one of these free on-line antivirus scanners first and see what can be cleaned or removed: Free Services.

    Then follow ALL the steps listed at this link:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Reformating would be the very last resort, and I can't see a reason to go that route yet, if at all. :)

    Once you have posted your HijackThis log, one of the Experts will review it and advise you what needs to be fixed. Please do not fix anything in HijackThis as most of what it will list will be harmless. Always wait for the advise of an Expert.

    Regards,

    snap
     
  5. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    thanks for the help, the panda scan got rid of them all.
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    That's great to hear hdizzy. :)

    Don't forget to purge your old restore points to clean out any infection that will have been backed up in your System Restore (if you haven't already done that).

    Turn OFF System Restore:
    1. On the Desktop, right-click My Computer.
    2. Click Properties.
    3. Click the System Restore tab.
    4. Check the box beside "Turn off System Restore".
    5. Click Apply, and then click OK.
    6. Restart the computer. (You must restart your computer to clear the old Restore Points)

    Turn System Restore ON:
    1. Follow the above Steps 1 to 3
    2. UNcheck the box beside "Turn off System Restore".
    3. Click Apply, and then click OK.
    4. Restart your computer.
    5. And set a new Restore Point.

    And be sure you go to Microsoft's Update Site and download and install ALL Critical Updates listed for XP and IE6.

    Regards,

    snap
     
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    You might also want to check out this link, which has some valuable information there on how to tighten your security settings and some links to free programs that will also help protect your computer while you surf: Why did I get infected in the first place.

    Regards,

    snap
     
  8. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    Thanks for all the helpful advice. I think i got all the viruses, the panda scan didnt pick anything up, i also purged my restore points, but every time i go on the net some retarded seach page comes up (even though i set google to my home page) and i still get some popups. Do you think the virus is still there? If not, how do i get rid of that seach engine?
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hdizzy,

    This sounds more like your browser has been hijacked. I would suggestion you follow the steps in this thread here: https://www.wilderssecurity.com/showthread.php?t=15913

    The only way to see what kind of possible hijacker (spyware) you might have on your system would be to see your HijackThis log. Then the Experts can advise you on what steps to take to remove it. Virus scanners scan for viruses, and may not necessarily detect spyware.

    Please follow the advise in the link above. :)

    Regards,

    snap
     
  10. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    Hey Snap, I tried to get the hijack this yesterday but every time i click on the link it goes directly to that stupid search engine. Is there a site i can go to directly to get it?
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hdizzy,

    You can try this link Here.
    Scroll down and look for HijackThis. You can download the .exe file or the zipped version, whichever is easiest for you.

    If the above link still doesn't let you download HijackThis, then try this one:
    majorgeeks

    Let us know if you're able to download HijackThis from either of the above links.

    Regards,

    snap
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ...in case all fails: we host HJT on this server as well; have a look over here ;).

    regards.

    paul
     
  13. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    Hi Snap, I tried those links you gave me and someone else had a link to try to but as soon as i try to download hijack that mutha f___ing search page comes up. I really dont know what to do my browser wont let me do anything.
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    hdizzy,

    Since you can function here at this forum, you should also be able to download HijackThis from this forum. Try this direct download link. Right-click on this link and select Save Target As... and try to save it to your system. Tell us what happens:

    https://www.wilderssecurity.com/attachments/hijackthis1977.zip
     
  15. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    LowWaterMark! Man you saved me, I got hijack finally, I ll scan and post it in a bit. Thanks
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    That is great hdizzy!

    Thank you LWM ;)
     
  17. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    Logfile of HijackThis v1.97.7
    Scan saved at 7:56:49 PM, on 4/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AproposClient\Apropos.exe
    C:\WINDOWS\System32\wisptis.exe
    C:\unzipped\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    F0 - system.ini: Shell=
    F2 - REG:system.ini: Shell=
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
    O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\pdfupd.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FilterGate] C:\PROGRA~1\FILTER~1\filtergate.exe /ASK
    O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O13 - DefaultPrefix: http://www.nkvd.us/
    O13 - WWW Prefix: http://www.nkvd.us/
    O13 - Home Prefix: http://www.nkvd.us/
    O13 - Mosaic Prefix: http://www.nkvd.us/
    O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.20.110:8041/Java/cs4ms090.cab
    O16 - DPF: IEToolbarCab - http://www.animetoolbar.com/DailyToolbar.CAB
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://www.x0.nl/install2/dialxs.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37966.7167939815
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
     
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hdizzy,

    Glad to see you were finally able to download HijackThis and post a log. There are quite a few items there that we need to fix.

    Before you begin, please create a permanent folder for HijackThis, and move the HijackThis.exe file into that folder.
    HijackThis will create backups in the folder it is ran from so we want to have it in a permanent folder of it's own in case we need to restore a backup.

    Also, through TaskManager, check and see if the WUAUMQR.EXE is running. If it is, right-click on it and choose End Process.

    Next, through the Add/Remove Programs, uninstall the P2P Networking.

    Then, close all browsers and any open windows, except Hijackthis.
    Then place a check beside the following entries, and click *Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    F0 - system.ini: Shell=
    F2 - REG:system.ini: Shell=

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

    O9 - Extra button: Sidesearch (HKLM)

    O13 - DefaultPrefix: http://www.nkvd.us/
    O13 - WWW Prefix: http://www.nkvd.us/
    O13 - Home Prefix: http://www.nkvd.us/
    O13 - Mosaic Prefix: http://www.nkvd.us/

    O16 - DPF: IEToolbarCab - http://www.animetoolbar.com/DailyToolbar.CAB
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://www.x0.nl/install2/dialxs.ocx
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab


    Then download CWShredder.
    Close ALL windows, unzip the file, and click on the cwshredder.exe to start the program.
    Make sure you click "Fix" (Not "Scan only") and follow the instructions you will receive.


    Reboot your computer.

    Make sure you have all files and folders viewable.
    Right-click "My Computer --> choose "Explore", select "Tools" --> "Folder Options", click the "View" tab. Under "hidden files and folders" select to show hidden files and folders, and remove the check in the "hide protected operating system files." Click "OK".

    Then reboot into Safe Mode by tapping the F8 key after the BIOS has loaded, then find and delete the following:

    WUAUMQR.EXE <--the file (you'll have to do a search for it, but it is probably in the Windows\System folder)
    C:\Program Files\Lycos <--folder
    C:\Program Files\AproposClient <--folder
    C:\Program Files\Common files\updater <--folder
    C:\PROGRAM FILES\INCREDFIND <--folder
    C:\PROGRAM FILES\AUTOUPDATE <--folder
    C:\WINDOWS\System32\P2P Networking <--folder
    C:\WINDOWS\gsim.dll <--file

    ------

    I am not familiar with these. Do you know what they are?
    O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\pdfupd.dll
    O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll


    I think you are still infected with the Worm.Spybot.G
    http://uk.trendmicro-europe.com/ent...tail.php?id=56234&VName=WORM_SPYBOT.G&VSect=T

    I would recommend another FULL system scan. Try this on-line scanner:
    http://housecall.trendmicro.com/housecall/start_corp.asp

    Do another scan with HJT and post a new log here to be checked.

    snap
     
  19. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hdizzy,

    I have moved your thread over to the "adware, spyware & hijack cleaning' forum where it will get better attention.

    Could you please locate the pdfupd.dll file and zip up a copy of it and submit it by email to This Email Address for analysis. It looks like it might be something new and we'd appreciate a copy of it. Include a link to this thread in the body of the email. Thank you kindly. :)

    Also, when you run the CWShredder program, it was advised to me to have you run it while in Safe Mode to ensure that the CoolWebSearch infection is completely removed.

    Once you have finished all the instructions in the above post, then download Ad-aware, bring it up-to-date, and do a full system scan with it while still in Safe Mode. This will take care of any spyware files left.

    To set up Ad-Aware:
    Before scanning click on "check for updates" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

    General> activate these: "Automatically save log file" and "Automatically Quarantine objects prior to removal"

    Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned URL" and "Scan my host-files"

    Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

    Tweaks > Cleaning Engine: activate this: "Let Windows remove files in use after reboot."

    Click "proceed" to save your settings, then click "start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose "select all" from the drop down menu then press next and then say "Yes" to the prompt, "do you want to remove all these entries")

    Then post a new hijackthis log so we can make sure we haven't missed anything.

    Regards,

    snap
     
  20. hdizzy

    hdizzy Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    9
    hi snap, heres the new hijack list.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:58:00 AM, on 4/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
    O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\pdfupd.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FilterGate] C:\PROGRA~1\FILTER~1\filtergate.exe /ASK
    O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O13 - DefaultPrefix: http://www.nkvd.us/
    O13 - WWW Prefix: http://www.nkvd.us/
    O13 - Home Prefix: http://www.nkvd.us/
    O13 - Mosaic Prefix: http://www.nkvd.us/
    O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.20.110:8041/Java/cs4ms090.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37966.7167939815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
     
  21. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi hdizzy,

    Welcome to Wilders.

    Please download the latest copy of CWShredder as you will need it in a later step.

    Then click "Start" -> "Run".
    Type "regedit" and click OK.
    In navigation tree go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedTaskScheduler
    Then delete all keys at the right panel (just click on it and press Delete key).
    Then go to HKEY_CURRENT_USER\software\classes\CLSID\{3F143C3A-1457-6CCA-0A7-7AA23B61E40F} and delete all keys too.

    Restart your PC in safe mode.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)

    O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\pdfupd.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

    O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

    O13 - DefaultPrefix: http://www.nkvd.us/
    O13 - WWW Prefix: http://www.nkvd.us/
    O13 - Home Prefix: http://www.nkvd.us/
    O13 - Mosaic Prefix: http://www.nkvd.us/

    Run CWShredder. Be sure ALL other windows are closed use the Fix button and follow the instructions you will receive.

    There also may be hidden files. See HERE for how to show hidden files.

    Then delete:

    C:\WINDOWS\System32\mtwirl32.dll
    C:\WINDOWS\System32\pdfupd.dll
    C:\WINDOWS\System32\mshelper.dll

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.