Virus

**masteripper** · April 28, 2005

Just a simple solution

Run a search and find all of these assosiated to this dialer

Then use the program MoveonBoot from this site http://www.gibinsoft.net/gipoutils/

This will delete all the files on the next startup before windows have a chance of locking them

This should do the job

If not then we will see what to do

**MHz** · April 28, 2005

Just run your programs to remove the pest, then delete all files in your prefetch. Check the programs starting with the system, for any suspicious items. Then you should, with any luck, be ok.

I have had a similar problem like this. The virus would keep coming back. The virus would reappear after a reboot, as the prefetch was respawning it. I set my prefetch to boot only now. Saves these problems from re-occurring.

**member11** · April 28, 2005

go to SAFE MODE and run your antivirus / antispyware. You will have a better result because no file is in use.

**coocy** · April 28, 2005

I tried MS AntiSpyware in Safe mode which detected

and removed the virus/Trojan, but after a few seconds it came back.

This is the Hijackthis log: (Safe Mode):

Logfile of HijackThis v1.99.1

Scan saved at 5:11:14 PM, on 4/28/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\USER\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [scanRegistry] C:\W

O4 - HKLM\..\Run: [upConfgVer] "C:\Program Files\Panda Software\Panda Antivirus Platinum\UpgConf.exe" /v:7.05.07

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104455146043

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O21 - SSODL: SysTray.Ev - {F5B1D0BE-5f02-4255-96DB-388DFA244900} - C:\WINDOWS\System32\mkgicjke.dll (file missing)

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Coocy

**KJxp** · April 28, 2005

>after a few seconds it came back.

What do you mean? Does the virus come back up on the screen? in task manager? in the registry?

**coocy** · April 29, 2005

I mean the wallpaper comes back on the desktop and the c:\windows\web\desktop.html returns. Sort of recreates itself.

**Eaglesam** · April 29, 2005

I think I have seen this spayware before...try this.

open msconfig..got to startup.. check for enteries that does not belong..ie..jkfl or something simeler..trace it's location,either c:\windows or c:\windows\system32..remove these files..by placing the curser on the files you can tell if it is microsoft or not..these files make child file that is found by anti spyware software but they'r never cought.

good luck

**Eaglesam** · April 29, 2005

I think I have seen yhis spyware...try this.

Go to maconfig...start..run..msconfig...

Select startup

Find any entry that does not lbelong..ie...jhfkl or simmeler, trace it's location..usually c:\windows or c:\windows\system32...by pacing the curser on the file you can tell if it is a microsoft file or not soyou don't delette the wrong file..these file's creat a child file which could be detected but not the parent file.

good luck

**coocy** · April 29, 2005

Hi Guys ,

I did the following:

I downloaded GiPo@FileUtilities and used MoveOnBoot to move the file:

C:\Windows\System32\svchosts.dll to another location

Then I rebooted and changed the Desktop wallpaper and deleted the file c:\Windows\Web\desktop.html.

Then ran MS AntiSpyware and the Virus was not detected anymore !!!!!!!!

After that I used your Cleaning Suggestions:

1. booted pc in safe mode

2. Used Ad-Aware SE professional 1.03 Updated. (Not SE Personal 1.05). Ad_watch is now enabled. Hope that will be enough protection along with Spyware Blaster and MS Antispyware.

3. I couldnt get CWshredder to work as it is a .14 file !!?? Don't know how to use it.

4. Installed and ran Spyware Blaster 3.3. Updated.

5. Ran Spybot S&D 1.4 rc2b. Updated.

Then re-booted and repeated 2,4 and 5.

6. Ran CCleaner v1.18.101. Updated. But I didnt clean any registry or issue. Was afraid to. Only Log or txt files.

7. Ran HijackThis 1.99.1 and deleted all the files as you indicated.

8. Ran HijackThis once again and posted the log here:

Logfile of HijackThis v1.99.1

Scan saved at 5:21:22 AM, on 4/29/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\jre\bin\java.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\iPod\bin\iPodService.exe