View Full Version : Persistent pop ups on machine
Hey folks,
I'm trying to help a friend cleanse their machine, as I'm staying with them for a week or so. They're getting a lot of pop ups, and have no anti virus installed. Following the instructions on the sticky, I managed to get rid of... well I won't say how many infected files, but I know some still remained. I've also managed to get rid of some malware, but I'm still getting pop ups so something got missed. Any help would be appreciated.
Here's my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:02:48 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\amtkryuA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://members.allrealitypass.com/
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ddyga.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oxfjkox.exe
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwintqez.exe GID003
O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwintqez.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: msconfig.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: taskmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZBzeb032YYDM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\lv6209joe.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
pskelley
2006-06-23, 14:04
Hello and welcome to the forum. Let me be candid, your friend has some nasty infections. I see Look2me and a Qoologic trojan plus more junk. This junk will attract others so my suggestion would be to stay offline as much as possible until you are clean. If you wish to continue, we will start with the Look2me infection.
Thanks to Atribune and any others who helped with this fix
Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
More info:
If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start > run sc start schedule press enter.
Thanks...pskelley
Safer Networking Forums
Hi pskelly,
Thanks for the reply. I followed the directions and here's the HT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:58:07 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\amtkryuA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://members.allrealitypass.com/
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ddyga.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oxfjkox.exe
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwintqez.exe GID003
O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwintqez.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: msconfig.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: taskmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZBzeb032YYDM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Look2Me Destroyer log:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/22/2006 12:51:41 PM
Infected! C:\WINDOWS\system32\f02m0af1ed2.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029565.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029587.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029593.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP133\A0029662.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP133\A0029663.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029697.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029699.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029700.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029743.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029744.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029756.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029765.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030789.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030836.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030843.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030852.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030857.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030864.dll
Infected! C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030869.dll
Infected! C:\WINDOWS\system32\dnnm0151e.dll
Infected! C:\WINDOWS\system32\dvsapi.dll
Infected! C:\WINDOWS\system32\f02m0af1ed2.dll
Infected! C:\WINDOWS\system32\salwoa.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\f02m0af1ed2.dll
C:\WINDOWS\system32\f02m0af1ed2.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029565.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029565.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029587.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029587.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029593.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP132\A0029593.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP133\A0029662.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP133\A0029662.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP133\A0029663.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP133\A0029663.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029697.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029697.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029699.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029699.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029700.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP134\A0029700.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029743.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029743.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029744.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029744.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029756.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029756.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029765.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0029765.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030789.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030789.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030836.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030836.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030843.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030843.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030852.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030852.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030857.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030857.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030864.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030864.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030869.dll
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP136\A0030869.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dnnm0151e.dll
C:\WINDOWS\system32\dnnm0151e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dvsapi.dll
C:\WINDOWS\system32\dvsapi.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\f02m0af1ed2.dll
C:\WINDOWS\system32\f02m0af1ed2.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\salwoa.dll
C:\WINDOWS\system32\salwoa.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9714A16A-BB0C-4507-AC34-CD5B4767724D}"
HKCR\Clsid\{9714A16A-BB0C-4507-AC34-CD5B4767724D}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
pskelley
2006-06-23, 19:58
Thanks for returning your information, and it looks like you were successful removing Look2me. We are going to remove some junk to see what happens. The Qoologic is the F2 lines and we will need to use a special fix but lets hit it with HJT also to see what happens. Please follow these directions.
1) we need to look at this item:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
Because of where it is running, I believe this may be a problem. I want you to use one or more of these free online scans and post the results for me.
Same thing with this item:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
These both may be safe, so check carefully.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
2) Did you install this program: C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
3) TeaTimer will block the changes we must make, use the instructions to turn it off until you are finished.
http://russelltexas.com/malware/teatimer.htm
Open HJT and choose "Open the misc tools section. Choose "Open process manager" Locate, highlite and Kill Process on these two items:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
Close HJT.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://members.allrealitypass.com/
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ddyga.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oxfjkox.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\pwintqez.exe GID003
O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwintqez.exe
O4 - Global Startup: msconfig.exe
O4 - Global Startup: taskmgr.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM G
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZBzeb032YYDM
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe <<< file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe <<< file
C:\WINDOWS\amtkryuA.exe <<< file
C:\WINDOWS\system32\ddyga.exe <<< file
C:\WINDOWS\system32\oxfjkox.exe <<< file
C:\WINDOWS\system32\pwintqez.exe <<< file
C:\WINDOWS\system32\x3cqp0.dll <<< file
C:\Windows\Prefetch\ >>> delete the contents ([B]NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post a new HJT log along with any comments you think will help. All going well, we will move against that Qoologic trojan next.
Thanks...Phil
Hi Phil,
Thanks for the reply. Here's what I've got so far:
1:
File: msconfig.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 b9caaa2b7fe6a58347fb34521ce9b357
Packers detected:
-
Scanner results
AntiVir
Found Worm/IRCBot.844288
ArcaVir
Found Trojan.Ircbot.Qc
Avast
Found Win32:Ircbot-ZL
AVG Antivirus
Found IRC/BackDoor.SdBot2.CFK
BitDefender
Found Backdoor.RBot.EOG
ClamAV
Found nothing
Dr.Web
Found BackDoor.IRC.Ranm
F-Prot Antivirus
Found W32/Delf.MY
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Backdoor.Win32.IRCBot.qc
NOD32
Found Win32/IRCBot.SH
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found Backdoor.Win32.IRCBot.qc
------------------------------
File: taskmgr.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f8278fec7fd177e23fc08615a0160004
Packers detected:
-
Scanner results
AntiVir
Found Worm/IRCBot.857088
ArcaVir
Found Trojan.Ircbot.Dd
Avast
Found Win32:Ircbot-ZM
AVG Antivirus
Found IRC/BackDoor.SdBot2.CFL
BitDefender
Found Backdoor.RBot.EOG
ClamAV
Found nothing
Dr.Web
Found BackDoor.IRC.Ranm
F-Prot Antivirus
Found W32/Ircbot.PN
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Backdoor.Win32.IRCBot.dd
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found Backdoor.Win32.IRCBot.dd
-------------------------------
2:
My friend did install Spyware Terminator, however the path that shows up in the shortcut is:
"C:\Program Files\Spyware Terminator\SpywareTerminator.exe"
I'm not familiar enough with the product to know whether or not SpywareTerminatorShield.exe is part of the package that he installed.
3:
Here I've run into a slight problem. I'm running Spybot - Search & Destroy version: 1.4 (build: 20050523) but I don't have the "Resident" entry listed there. I tried restarting in safe mode and logging in as the Administrator to see if that would give it to me but it doesn't. Under Tools I've got:
Secure Shredder
IE Tweaks
System Internals
System Startup
Uninstall Info
Winsock LSPs
Should I be running a different version?
pskelley
2006-06-24, 03:19
Thanks for that feedback, I was about sure those items were bad. I am going to edit the instructions and put them in to be removed.
You can see TeaTimer is activated: O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe try the instructions with it as it is, and if if pops up asking about changes allow them. The option, and we have to do it at times, is to uninstall Spybot and then reinstall it once you are done.
So you will know, this is what I am editing in.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
O4 - Global Startup: msconfig.exe
O4 - Global Startup: taskmgr.exe
Hope this does not confuse you, you can send me a PM with questions if you wish:
http://forums.spybot.info/private.php?do=newpm&u=233
Thanks...Phil
Hey Phil,
Thanks for the help thus far. The one thing that I think you should know, after I ran HJT I checked the startup under Tools. I've got 2 entries unchecked:
C:\WINDOWS\amtkryuA.exe
C:\Program Files\PECarlin\PECarlin.exe
Here's my new log.
Logfile of HijackThis v1.99.1
Scan saved at 11:41:21 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Ares\Ares.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
pskelley
2006-06-24, 14:53
Good morning, The Qoologic trojan has vanished from the log? Let's get an antivirus program on the computer, Windows Security should be screaming about that. Here are three free ones, I personally prefer AVG by Grisoft:
http://free.grisoft.com/freeweb.php
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
If you want free firewalls let me know, but for now make sure the SP2 firewall is running and that Windows Updates are set to automatic, you want to make sure all critical updates are current.
This item: C:\Program Files\PECarlin\PECarlin.exe is: http://www.castlecops.com/s12854-PECarlin.html
Look in Add Remove programs and uninstall it if there.
This one: C:\WINDOWS\amtkryuA.exe is no doubt bad. We need to be sure they are both gone from the computer, they are not showing in the log. Make sure hidden files and fodlers are enabled: http://www.xtra.co.nz/help/0,,4155-1916458,00.html then use search companion or search manually for the items. If they are there delete:
C:\WINDOWS\amtkryuA.exe <<< file
C:\Program Files\PECarlin\ <<< folder
If you have Windows blocking you, then start the computer in safe mode and do it there:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
This program: C:\Program Files\Ares\Ares.exe see what SpywareInfo has to say:
http://www.spywareinfo.com/articles/p2p/
Ares (Official site offers a "Lite" version without the adware bundles) I would suggest they uninstall the program and use a safe one from the list if the must do p2p files sharing which is dangerous and often illegal, see this:
http://pcpitstop.com/spycheck/p2p.asp
http://pcpitstop.com/spycheck/badtorrent.asp
You have one line of clutter to remove and TeaTimer will probably have to be off:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
If you remove it, make sure a homepage is set in Internet Explorer > Tools > Internet Options > General tab. If it is set to "use blank" that line will come back.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
This next step should be done right away, a lot of junk showed in System Restore in the earlier scans:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
I suggest you get the AV in place, update the software and run a complete system scan, make sure the SP2 firewall is running, then clean the System Restore files. Review the safety information in the links. Keep an eye on things for a couple of day then post a new HJT log so I can take a look. Let me know how the computer is running also.
Thanks...Phil
Hi Phil,
Thanks for the great help so far. The computer's been running great. No more pop ups, and web pages have been loading noticeably faster.
MSIE and Firefox have MSN.com set as the homepage, so hopefully I can get rid of that line and it will stay gone. I'll get these suggestions completed today and post up a log on Monday for review.
Thanks once again!
Ayer
Hey Phil,
Here's the updated log. Ares is still there, mainly because I didn't get a chance to talk to my friend about it due to a very busy weekend. That conversation will happen today though. I got rid of PECarlin, and amdkryuA was no longer there.
Thanks so much for the free AV links. I went with your suggestion - I tried to get into Grisoft originally but they had a website problem so I went with Avanti but it was horribly slow, so back to Grisoft and it worked.
The computer is definitely running better. No more pop ups so far, and the AV found and eliminated a few viruses.
Logfile of HijackThis v1.99.1
Scan saved at 7:49:12 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ddyga.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oxfjkox.exe
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Ayer
pskelley
2006-06-26, 14:08
Hello Ayer, It is good we checked because the Qoologic trojan is back in the log, I did not believe it would go the easy which is why I asked to see this log. Here are the markers that must be gone when you run the tool:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ddyga.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oxfjkox.exe
This item: O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe is also showing in the log, and it may be related to Qoologic? We will deal with any leftovers once the Qoologic trojan is remove. Please follow the directions carefully to be successful.
Please download Brute Force Uninstaller to your desktop. (rightclick on this link and choose save as, if using IE save target as)
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk [C:] or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
http://downloads.subratam.org/Lon/qooFix.bat
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.
Thanks...
Hey Phil,
I'm not sure if I was able to clear the trojan. I closed all the windows, as directed and ran the application but I got some illegal errors. I can rerun if you like, but here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 8:51:44 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ddyga.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oxfjkox.exe
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
My friend will be uninstalling Ares and installing Ares lite, hopefully tomorrow.
pskelley
2006-06-28, 04:32
Qooogic is still there:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ddyga.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oxfjkox.exe
I will give you more detailed instructions, when it does not work it is almost always because the instructions are not followed. I can only suggest you try again.
Turn off TeaTimer
Detailed instructions by Mieke
Ok, let me explain every step again, but very detailed how to unzip properly and move that qoofix.bat in that folder.
* Rightclick on next link and choose save as: Brute Force Uninstaller
http://www.merijn.org/files/bfu.zip
A new window will open.
You'll see below in the filename-path: bfu.zip
Now edit that filename path to: C:\bfu.zip
Then click save.
Close the windows now.
Then click My computer.
Then click C:\
You should find bfu.zip there.
Now rightclick bfu.zip
Select 'extract all'
A wizard will open.
Click next.
You'll see it will say in the filepath C:\bfu
Click next and click finish.
If you now look on your C:\, you'll find C:\bfu.zip and C:\bfu
Now rightclick on this link: qoofix.bat
http://downloads.subratam.org/Lon/qooFix.bat
Choose save as.
In the filepath, you'll see qoofix.bat
Now change that to C:\bfu\qoofix.bat and choose save.
This will place the qoofix.bat in the C:\bfu folder.
Then go to the BFU folder and doubleclick qoofix.bat.
This should start the fix.
It will also ask to reboot. After reboot, post a new hijackthislog in your next reply
The trojan must go, don't be afraid to run it more than once, but do follow those instructions.
Once this is done, you need to start the computer in safe mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Locate and delete this file:
C:\WINDOWS\amtkryuA.exe <<< delete that file.
Thanks
Hey Phil,
Ok, I ran a HJT and verified that TeaTimer was running by searching for it. Then I removed it from startup (couldn't find another way to stop it) and restarted. I shut down just about everything, and reran HJT. A search for "tea" in the log found nothing. I tried again and this was the result.
This error popped up 3 times:
http://img297.imageshack.us/img297/3120/error15xj.jpg (http://imageshack.us)
And this was the final screen:
http://img273.imageshack.us/img273/7719/error27dd.th.jpg (http://img273.imageshack.us/my.php?image=error27dd.jpg)
Here is the HJT log from right after it all failed:
Logfile of HijackThis v1.99.1
Scan saved at 10:54:02 AM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ddyga.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oxfjkox.exe
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Umm... help.
pskelley
2006-06-28, 19:03
I am going to ask the author of the QooFix to take a look to see if he can help us. Be patient until he gets back to us.
Thanks...
Wow, thanks! You guys are awesome.
LonnyRJones
2006-06-29, 00:40
Hi
Try the fix on this page for your paticular system
fixautont.html: http://www.tech-forums.net/computer/topic/29806.html
Restart your pc afterwards and try running qoofix again
Ok,
I still got those errors, but this time it seems to have run through and asked me to restart. A quick scan of the log didn't show those entries.
Logfile of HijackThis v1.99.1
Scan saved at 1:47:05 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
pskelley
2006-07-01, 20:19
That looks like it got rid of the Qoologic trojan, thanks Lonny for your help. Ayer, we still have an item to get rid of:
Make sure you can see all files and folders:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Turn off Spyware Terminator in case it is blocking changes.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [amtkryuA] C:\WINDOWS\amtkryuA.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Navigate to C:\WINDOWS\amtkryuA.exe <<< and delete that file
That item must go, if it is not in C:\Windows\ use Search Companion to find it. You can also download and use this tool to hit all hiding places at once:
http://forums.security-central.us/showthread.php?t=1925
Here are the instructions:
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Let me know how you make out,
Thanks
hey Phil.
Thanks for all the help. I apologize for the delay in response. I`ve been travelling and didn`t get a chance to log back in. I`m not at that location anymore so this can probably get closed out. I bookmarked the thread for my friend so they can refer to it and get it reopened if necessary.
once again, thank you so much.
pskelley
2006-07-07, 15:31
tashi:) you can close this one.