Adware virus problem

Hello, I got this site while googling. I had lot of spy viruses in my computer. I followed your instructions for other threads, so got rid of many of them. But still I have some problems with IEsearch. I am attaching the logs from hijackthis.

I got an error while trying to delete some of these from hijackthis. May be I am missing some files!

Thank you.

Logfile of HijackThis v1.98.0
Scan saved at 8:15:12 AM, on 7/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\jqnmgcr.exe
C:\WINNT\runwin32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\wininet32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\system32\mscime.exe
C:\WINNT\system32\msjacc.exe
C:\Program Files\WebSiteViewer\123802.dlr
C:\EXE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30FB3205-9643-0CC4-D153-65557EA72C6A} - C:\WINNT\system32\xib.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll (file missing)
O2 - BHO: Xbrowse Class - {D319662B-D5BF-4538-ADF3-8D3E36362608} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\dial.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT "
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [s35P32e] mscime.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [d0uFRSK3R] msjacc.exe
O4 - HKCU\..\Run: [Qrnjvcf] C:\WINNT\system32\jqnmgcr.exe
O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O15 - Trusted Zone: *.awmguild.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.vladzone.com
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

 

Don't know what all you've done yet, but you're still very infected. Make sure you have the up-to-date versions of Spybot (v1.3), Ad-aware (build 6.181) and CWShredder (v1.59.1). All are free and available from the links in my signature.

Open CWShredder and with ALL other windows closed, click fix. Then update and run Spybot. Delete all it finds that is prechecked. Then update and configure Ad-aware for a custom full scan and run, deleting all it finds. Reboot and scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

I just found this AM a new Adware checker. It seems to find more than the old AdAware does

It is named NoAdware from here

It is not free but ( at this time ) appears to be worth it.

It found 12 items that AdAware itself did not find.

BillyBob

 

I forgot this in my pevious reply.


O15 - Trusted Zone: *.awmguild.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.vladzone.com

How do these get into the Trusted Zone ? Is Spyware/Adware getting that bad ?

BillyBob

 

That one's a scam BB. Send your money to get a license so you can remove what it finds and all you'll get is a smaller bank account. See the pinned thread Slyware/spyware. There's a list of fakes.

 

And then some!

 

Hello noahdfear, Thank you for your quick reply.

I have run spybot, CWshredder and Ad-aware before. I was able to delete wintoolsa.exe before and some other adware files. I will do it again as you have said. I ahven't run RAV though. I couldn't understand what you meant by update after each run of these tools. I am really frustrated with these thing, somehow need to clean this. I have got norton anti-virus software recently which I am running to check these files.

Thank you again. I will post the log file.

 

noahdfear, I cannot download RAV. Its site gives the following message:

Download Section is closed. Existing RAV AntiVirus registered customers should address support@ravantivirus.com for downloading existing products.

Due to the acquisition of RAV's IPR (Intellectual Property Rights) by Microsoft Corp., GeCAD Software SRL is currently engaged in a strategic reorganization of its operations, which includes scaling down and discontinuation of its anti-virus related business. More details at:
http://www.ravantivirus.com/pages/shownews.php?i=153 .


As part of this process please be informed that RAV AntiVirus online and direct sales ceased September 3rd, 2003.

 

Both Ad-aware and Spybot get updated ref files regularly. You need to be running the latest set of those files and both programs offer a button you can click to search for updates and, if any are found, to download and install them. You need to do that each time BEFORE you run the program to check for bad stuff.

The recommendation to use an online virus scanner rather than the one installed on your PC is because of the virus infections that can deactivate your installed AV but make it appear to be still working. The online scanners cannot be attacked this way and with a PC that has lots of problems, running an online scan is a good safeguard.

 

Thanks to everyone who replied. I did exactly what has been told and below is the RAV report. I couldn't able go to the report screen, so pasting the status, I got in the main screen. In addition, there is also a report from HJT.

I want to mention two problems I saw after running these tools:

1. I have spyware guard which alerts me when the IE search and its parameter changed by these spywere. I am still getting these alerts after all this.
2. 123802.dlr is still somehow running in my PC, which puts an icon on the desktop and in the start menu. I don't see this dlr in explorer under c:\program files\websiteviewer, though it is still running as per HJT.

Please help.

RAV Report:
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Subhendu Pradhan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loadertraff.jar-52af1ae2-3f46e27c.zip->Counter.class - Trojan:Java/ClassLoader -> Infected
C:\Documents and Settings\Subhendu Pradhan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loadertraff.jar-52af1ae4-239b7e44.zip->Counter.class - Trojan:Java/ClassLoader -> Infected
C:\Documents and Settings\Subhendu Pradhan\Local Settings\Temp\sa1A3.tmp.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\Documents and Settings\Subhendu Pradhan\Local Settings\Temp\sa6.tmp.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\Program Files\Internet Explorer\Iesearch.exe - Trojan:Win32/StartPage.NAS -> Infected
C:\Program Files\WebSiteViewer\123802.exe - ToolornDialer.BP -> Infected
C:\WINNT\wininet32.exe - TrojanProxy/Win32.Agent.AD -> Infected
C:\WINNT\Downloaded Program Files\svchost.exe - Trojan:Win32/StartPage.AAJ -> Infected
C:\WINNT\Downloaded Program Files\CONFLICT.1\ISTactivex.dll - TrojanDownloader:Win32/IstBar.FA -> Infected
C:\WINNT\system32\xib.dll - TrojanDownloader:Win32/PurityScan.D -> Infected
E:\faxcomins\fcex6.rar->picacu.pif - Win32/Klez.H@mm -> Infected
E:\install\diskeper\dk4191wi.rar->install.exe - Win32/Klez.H@mm -> Infected

Scanned
============================
Objects: 101985
Directories: 12461
Archives: 6764
Size(Kb): -1358229
Infected files: 10

Found
============================
Viruses found: 8
Suspicious files: 2
Disinfected files: 0
Mail files: 575

HJT Report:

Logfile of HijackThis v1.98.0
Scan saved at 8:48:03 AM, on 7/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Internet Explorer\Iesearch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\mscime.exe
C:\WINNT\system32\msjacc.exe
C:\WINNT\system32\jqnmgcr.exe
C:\WINNT\runwin32.exe
C:\WINNT\wininet32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WebSiteViewer\123802.dlr
C:\EXE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30FB3205-9643-0CC4-D153-65557EA72C6A} - C:\WINNT\system32\xib.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\dial.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT "
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [s35P32e] mscime.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [d0uFRSK3R] msjacc.exe
O4 - HKCU\..\Run: [Qrnjvcf] C:\WINNT\system32\jqnmgcr.exe
O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O15 - Trusted Zone: *.awmguild.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.vladzone.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

 

You may want to print this out, or save it to text where you can access it in safe mode.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {30FB3205-9643-0CC4-D153-65557EA72C6A} - C:\WINNT\system32\xib.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\dial.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Winhost] C:\WINNT\winh.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [Bakra] C:\WINNT\system32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [s35P32e] mscime.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [d0uFRSK3R] msjacc.exe
O4 - HKCU\..\Run: [Qrnjvcf] C:\WINNT\system32\jqnmgcr.exe
O4 - HKCU\..\Run: [runwin32] C:\WINNT\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINNT\wininet32.exe
O15 - Trusted Zone: *.awmguild.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.vladzone.com
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

Reboot to safe mode and show hidden files and folders.

Search the drive for the file 2.exe and delete if present.

Open C: and delete the file 000.exe if present.
Open C:\WINNT\Downloaded Program Files and delete the file svchost.exe and folder CONFLICT.1.
Open C:\Program Files and delete the folders WebSiteViewer, SEP and Acceleration Software.
Open C:\Program Files\Common Files and delete the folder WinTools.
Open C:\Program Files\Internet Explorer and delete the files guardian.dll, hookDLL.dll, netClient.dll, r_process.dll and Iesearch.exe if present.
Open C:\WINNT and delete the files runwin32.exe, wininet32.exe, sysh.hta, system.html, guardian.dll, hookDLL.dll, netClient.dll, r_process.dll and winh.exe if present.
Open C:\WINNT\system32 and delete the files IEHost.exe, dp-him.exe, msjacc.exe, msjacc.exe, xib.dll and jqnmgcr.exe if present.

Open E:\faxcomins and delete the file fcex6.rar.
Open E:\install\diskeper and delete the file dk4191wi.rar.

Open the Java plug-in in the control panel, click the cache tab and then clear.

Open regedit and navigate to HKEY_CURRENT_USER>Software
Right-click on the folder WebSiteViewer and select DELETE.
Right-click on the folder Acceleration Software and select DELETE.
Right-click on the folder WinTools and select DELETE.

Locate and delete the following files:
C:\Documents and Settings\UserName\Desktop\sexcam.lnk
C:\Documents and Settings\UserName\Start Menu\sexcam.lnk

Open CWShredder, close ALL other windows and click fix.

Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.

Reboot back to windows, do another RAV scan and post the results, along with a new HJT log.

 

Dave - still trying to add to my education so a couple of questions.

- Will your fix take care of Klez and any damage it has already done or does he also need to use the Symantec removal tool from Here?

- Since Klez usually knocks out the onboard AV, will it recover when the virus is gone or does something need fixing?

 

If the Klez virus was present, the tool should be run, for ease of removal at least, and AV reinstalled. But did I miss something? From symantec;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, look for the following values:

Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe

I saw no reference to the 'wink' part of the executables, but then I don't always see everything. If I missed it, by all means the tool should be run. It will get the executable in Program Files if present.

 

I think I just flashed on RAV reporting
E:\faxcomins\fcex6.rar->picacu.pif - Win32/Klez.H@mm -> Infected
E:\install\diskeper\dk4191wi.rar->install.exe - Win32/Klez.H@mm -> Infected
and assumed he probably had the bug.

I missed seeing the .rar in the folder names which should mean they are part of a compressed folder and so safe unless messed with. I gotta learn to read things more slowly and carefully.

Any thoughts about how one would go about getting a couple copies of the critter stored to disk this way?

 

I guess I did miss something Newt. I never even looked at what RAV reported the infections to be. I went by the processes running in my diagnosis and proposed fix. My best guess would be that those are downloaded or file transferred, and yet unopened, or possibly even reported in err. Some setup files are written in such a way that they look like something they aren't, especially when still packed. I know I have a program onboard that the setup file has a dll that always gets flagged, but once installed it's no problem. But neither one of those files came up with a Google, so felt they should go to be safe.

 

Hello All, Sorry for the late reply. I was out of town for last 4 days. Well..things are pretty much the same. I didn't get a chance to work on this. But as I had said earlier, I cann't fix anything using HJT. I don't know but it gives me the following error when I try to fix:
-------------------------------------------------------------------
An unexpected error has occurred at procedure: cmdFix_Click()
Error #75 - Path/File access error (70 items in results list)

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.98.0

This message has been copied to your clipboard.
----------------------------------------------------------------

Any taker? I can do the rest. But will it help me? If there is any alternate solution please let me know.

Thank you again.

 

Hello

Try this free online,
BitDefender AntiVirus Free Scan, check all box's except auto clean, then have it delete what it cannot clean, Might also need to turn off any PopupBlockers: http://www.bitdefender.com/scan/licence.php
If there are any problems Copy its report back here please.
Restart the PC afterwards >

with Hijackthis That error is happening for a few folks,, Its been awhile since your last post, Post a new log please, then when you go to fix things do so with one or two items at a time.

Dave, the other's or i will be back to help.

 

Lonny, I will scan my PC. But do I have to anything what noahdfear told me? He had told me couple things apart from running HJT. Thank you.

 

Everything I listed needs to be fixed if still present after doing the scan. What Lonny suggested was try fixing just a few things at a time, rather than all at once, to see if HJT will work without giving you the error message.