masteripper Posted April 28, 2005 Share Posted April 28, 2005 Just a simple solutionRun a search and find all of these assosiated to this dialerThen use the program MoveonBoot from this site http://www.gibinsoft.net/gipoutils/This will delete all the files on the next startup before windows have a chance of locking themThis should do the jobIf not then we will see what to do Link to comment Share on other sites More sharing options...
MHz Posted April 28, 2005 Share Posted April 28, 2005 Just run your programs to remove the pest, then delete all files in your prefetch. Check the programs starting with the system, for any suspicious items. Then you should, with any luck, be ok.I have had a similar problem like this. The virus would keep coming back. The virus would reappear after a reboot, as the prefetch was respawning it. I set my prefetch to boot only now. Saves these problems from re-occurring. Link to comment Share on other sites More sharing options...
member11 Posted April 28, 2005 Share Posted April 28, 2005 go to SAFE MODE and run your antivirus / antispyware. You will have a better result because no file is in use. Link to comment Share on other sites More sharing options...
coocy Posted April 28, 2005 Author Share Posted April 28, 2005 I tried MS AntiSpyware in Safe mode which detectedand removed the virus/Trojan, but after a few seconds it came back.This is the Hijackthis log: (Safe Mode):Logfile of HijackThis v1.99.1Scan saved at 5:11:14 PM, on 4/28/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\WINDOWS\System32\ctfmon.exeC:\Documents and Settings\USER\Desktop\HijackThis.exeO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [scanRegistry] C:\WO4 - HKLM\..\Run: [upConfgVer] "C:\Program Files\Panda Software\Panda Antivirus Platinum\UpgConf.exe" /v:7.05.07O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /QO4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104455146043O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cabO21 - SSODL: SysTray.Ev - {F5B1D0BE-5f02-4255-96DB-388DFA244900} - C:\WINDOWS\System32\mkgicjke.dll (file missing)O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeCoocy Link to comment Share on other sites More sharing options...
KJxp Posted April 28, 2005 Share Posted April 28, 2005 >after a few seconds it came back.What do you mean? Does the virus come back up on the screen? in task manager? in the registry? Link to comment Share on other sites More sharing options...
coocy Posted April 29, 2005 Author Share Posted April 29, 2005 I mean the wallpaper comes back on the desktop and the c:\windows\web\desktop.html returns. Sort of recreates itself. Link to comment Share on other sites More sharing options...
Eaglesam Posted April 29, 2005 Share Posted April 29, 2005 I think I have seen this spayware before...try this.open msconfig..got to startup.. check for enteries that does not belong..ie..jkfl or something simeler..trace it's location,either c:\windows or c:\windows\system32..remove these files..by placing the curser on the files you can tell if it is microsoft or not..these files make child file that is found by anti spyware software but they'r never cought.good luck Link to comment Share on other sites More sharing options...
Eaglesam Posted April 29, 2005 Share Posted April 29, 2005 I think I have seen yhis spyware...try this.Go to maconfig...start..run..msconfig...Select startupFind any entry that does not lbelong..ie...jhfkl or simmeler, trace it's location..usually c:\windows or c:\windows\system32...by pacing the curser on the file you can tell if it is a microsoft file or not soyou don't delette the wrong file..these file's creat a child file which could be detected but not the parent file.good luck Link to comment Share on other sites More sharing options...
coocy Posted April 29, 2005 Author Share Posted April 29, 2005 Hi Guys ,I did the following:I downloaded GiPo@FileUtilities and used MoveOnBoot to move the file:C:\Windows\System32\svchosts.dll to another locationThen I rebooted and changed the Desktop wallpaper and deleted the file c:\Windows\Web\desktop.html.Then ran MS AntiSpyware and the Virus was not detected anymore !!!!!!!!After that I used your Cleaning Suggestions:1. booted pc in safe mode2. Used Ad-Aware SE professional 1.03 Updated. (Not SE Personal 1.05). Ad_watch is now enabled. Hope that will be enough protection along with Spyware Blaster and MS Antispyware.3. I couldnt get CWshredder to work as it is a .14 file !!?? Don't know how to use it.4. Installed and ran Spyware Blaster 3.3. Updated.5. Ran Spybot S&D 1.4 rc2b. Updated.Then re-booted and repeated 2,4 and 5.6. Ran CCleaner v1.18.101. Updated. But I didnt clean any registry or issue. Was afraid to. Only Log or txt files.7. Ran HijackThis 1.99.1 and deleted all the files as you indicated.8. Ran HijackThis once again and posted the log here:Logfile of HijackThis v1.99.1Scan saved at 5:21:22 AM, on 4/29/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\jre\bin\java.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Ahead\InCD\InCD.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\USER\My Documents\Antivirus\HijackThis\HijackThis.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [scanRegistry] C:\WO4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /zO4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeMaybe you can advice on this log too .I also downloaded Firefox. I'll check that out.Coocy Link to comment Share on other sites More sharing options...
coocy Posted April 29, 2005 Author Share Posted April 29, 2005 Thanks for all the suggestions and help Everybody:). Link to comment Share on other sites More sharing options...
Martin Zugec Posted April 29, 2005 Share Posted April 29, 2005 That log looks clear... Using PFR to remove infected files is quite effective way - I and Dman are working on tool that will automate this process for removing spyware infection from PC. Link to comment Share on other sites More sharing options...
member11 Posted April 29, 2005 Share Posted April 29, 2005 Thanks for all the suggestions and help Everybody:).<{POST_SNAPBACK}>do you still have the same problem.? Link to comment Share on other sites More sharing options...
lesmich50 Posted April 29, 2005 Share Posted April 29, 2005 Since you scanned with MS Antispyware go to their spynet site at:http://www.spynet.com/ and see if you can get some help from this sitecheersMitch : Link to comment Share on other sites More sharing options...
tarquel Posted April 30, 2005 Share Posted April 30, 2005 3. I couldnt get CWshredder to work as it is a .14 file !!?? Don't know how to use it.that ain't right lolTry downloading it again from:http://cwshredder.net/bin/CWShredder.exeand for reference (in case the link is invalid) here's the refering webpage - You'll want the "Stand-Alone" version http://www.intermute.com/products/cwshredder.htmlDon't know if it'll help with this one but there you go anyhow Also, you could check this:Open up the Display Properties window and choose the following:- [Desktop] tab- [Customize Desktop] button- On the "Desktop items" window that appears choose:- [Web] taband make sure you only have "My Current Home Page" listed there - which should be unticked. Any other entries - unless you know what they are - should be selected and deleted.This may/should help a bit with deleting some files that are causing the problem.Regards,Nath. Link to comment Share on other sites More sharing options...
coocy Posted April 30, 2005 Author Share Posted April 30, 2005 No I don't have the virus more.At this moment I have no problem .I just downloaded cwshreddwer again and ill use it later.Now I am looking at switching from Internet Explorerto either Firefox, Netscape or Opera.Any sugesstions? Coocy Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now