Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 26 Posts

·
Registered
Joined
·
758 Posts
Discussion Starter · #1 ·
AVG says it cleaned it out and it keeps coming back. I also ran Spybot, still no luck.

The trojan is: Downloader.Dyfica. AJ

I read it has something to do with a program called Internet Optimize, it is not in my registry nor on this computer, so beats me why I am getting this.

I think it was in the Windows Temp folder with the file optimize.exe. I tried deleting the Temp folder, with still no luck

if anyone can help me get rid of this please let me know, it pops up alot.
 

·
Registered
Joined
·
758 Posts
Discussion Starter · #6 ·
I tried the 2nd option on that page and it did not detect it at all, but it still came up sometime after that, it's some file in the temp folder that has to do with optimize.



Here's the log from AVG:


Results of Complete Test, date and time 3/26/04 11:19:47 :

Testing C:\WINDOWS\TEMP serial 213B-14D5
C:\WINDOWS\TEMP\OPTIMIZE.EXE repaired
Testing C:\WINDOWS\Temporary Internet Files serial 213B-14D5

Test finished, duration 00:00:10.5 s
423 objects tested, 1 found infected

I deleted the file in the temp folder, but it keeps going back in there. The only thing I can think is it keeps loading with a program of some sort.

I'm a little worried now :(
 

·
Registered
Joined
·
758 Posts
Discussion Starter · #7 ·
here's my hijack log. maybe this will do something. It just came up in another file too with a different name.

Logfile of HijackThis v1.97.3
Scan saved at 11:39:53 AM, on 3/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
E:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\MSBB.EXE
E:\AMERICA ONLINE 8.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
E:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\EXPLORER.EXE
E:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
E:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
E:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CATCHER.DLL
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - E:\PROGRAM FILES\REGETDX\REGETDX\IEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] E:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [msbb] c:\windows\temp\msbb.exe
O4 - HKLM\..\Run: [bgzqjyj] C:\WINDOWS\bgzqjyj.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] E:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Scanner Detector.lnk = E:\Program Files\ScanSuite\SDetect.exe
O4 - Startup: AOL Companion.lnk = E:\Program Files\AOL Companion\companion.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = E:\America Online 8.0\aoltray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_All.htm
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_Link.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38056.5075810185
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/new/bridge.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4344/mcfscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 

·
Retired Moderator
Joined
·
72,109 Posts
First thing to do is create a folder for HJT, like c:\HJT. Move hijackthis.exe into that folder. HJT creates backup files and if you run it from your desktop it will but the backups there.

Run HJT again and put a check against these:

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.exe
O4 - HKLM\..\Run: [msbb] c:\windows\temp\msbb.exe
O4 - HKLM\..\Run: [bgzqjyj] C:\WINDOWS\bgzqjyj.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/new/bridge.cab

Close all browser windows and applications before clicking "fix checked".

Reboot in safe mode, click here to see how,
and delete these files
C:\WINDOWS\SYSTEM\A.exe
c:\windows\temp\msbb.exe
C:\WINDOWS\bgzqjyj.exe

Go here Hijackthis. and get the newer version of HJT then post another log.
 

·
Registered
Joined
·
758 Posts
Discussion Starter · #11 ·
Originally posted by Dark Mage:
Big Problem...Pest Patrol trial edition should remove this.

Look here:
http://www.pestpatrol.com/pest_info/de/v/vx2_h_abetterinternet.asp
Just downloaded it, the trial version does not allow you to delete anything. Although it found alot of stuff :eek:

I'll run Adaware, maybe it will clean some stuff up.

here is my new HJT log. I ran and did what was said above

Logfile of HijackThis v1.97.7
Scan saved at 6:16:19 PM, on 3/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
E:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
E:\AMERICA ONLINE 8.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
E:\AMERICA ONLINE 8.0\AOL.EXE
E:\AMERICA ONLINE 8.0\WAOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
E:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
E:\PROGRAM FILES\REGETDX\REGETDX\REGETDX.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CATCHER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - E:\PROGRAM FILES\REGETDX\REGETDX\IEBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] E:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] E:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Scanner Detector.lnk = E:\Program Files\ScanSuite\SDetect.exe
O4 - Startup: AOL Companion.lnk = E:\Program Files\AOL Companion\companion.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = E:\America Online 8.0\aoltray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_All.htm
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_Link.htm
O8 - Extra context menu item: &Google Search - res://E:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://E:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://E:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://E:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38056.5075810185
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4344/mcfscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 

·
Registered
Joined
·
758 Posts
Discussion Starter · #15 ·
here is my log once again *sigh*

Logfile of HijackThis v1.97.7
Scan saved at 3:06:52 PM, on 3/31/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
E:\PROGRAM FILES\KAZAA SPEEDUP\MSBB.EXE
E:\AMERICA ONLINE 8.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
E:\AMERICA ONLINE 8.0\AOL.EXE
E:\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
E:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
E:\PROGRAM FILES\MEDIA\MEDIA\UPDATESTATS.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=132047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=132047
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=132047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=132047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CATCHER.DLL
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL (file missing)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - E:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - E:\PROGRAM FILES\REGETDX\REGETDX\IEBAR.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - E:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] E:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [msbb] e:\program files\kazaa speedup\msbb.exe
O4 - HKLM\..\Run: [dwtmj] C:\WINDOWS\dwtmj.exe
O4 - HKLM\..\Run: [IST Service] E:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Power Scan] E:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [UpdateStats] E:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] E:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Scanner Detector.lnk = E:\Program Files\ScanSuite\SDetect.exe
O4 - Startup: AOL Companion.lnk = E:\Program Files\AOL Companion\companion.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = E:\America Online 8.0\aoltray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_All.htm
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_Link.htm
O9 - Extra button: Sidesearch (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38056.5075810185
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/new/bridge.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006_cracks.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 

·
Registered
Joined
·
4,699 Posts
Download CWShredder at
http://www.merijn.org/cwschronicles.html (merijn's site has been under a denial of service lately so try the second link)
http://www.majorgeeks.com/download4086.html

Run CWShredder, check you have the current version by clicking check for update and let it update
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do its thing.

Make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually re-infected.

The patches are:
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/tr...in/ms03-011.asp
 

·
Registered
Joined
·
4,699 Posts
OK, let's get that list of spyware and malware cleaned up.

In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL (file missing)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - E:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - E:\PROGRAM FILES\ISTBAR\ISTBAR.DLL

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [USSShReg] E:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r

O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [msbb] e:\program files\kazaa speedup\msbb.exe
O4 - HKLM\..\Run: [dwtmj] C:\WINDOWS\dwtmj.exe

O4 - HKLM\..\Run: [IST Service] E:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Power Scan] E:\Program Files\Power Scan\powerscan.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: Sidesearch (HKLM)

O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...0006_cracks.cab


Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\WINDOWS\dwtmj.exe
C:\WINDOWS\SYSTEM\A.EXE

E:\program files\kazaa speedup\[msbb.exe

E:\Program Files\ISTsvc\istsvc.exe
E:\Program Files\Power Scan\powerscan.exe

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode.

I would strongly recommend that you do an online virus scan at least one and preferably 2 of the following sites:

http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks
 
1 - 20 of 26 Posts
Status
Not open for further replies.
Top