Bubba Bob Posted November 6, 2006 Report Share Posted November 6, 2006 Ok, a coworker was kind enough to lend me a dirty thumbdrive. Suddenly I have "Virus BLuster" as well as several nasty processes running. Also, im getting R rated pop ups and fake virus warnings. My IE home page has also been hijacked.Help is appreciated. THanksLogfile of HijackThis v1.99.1Scan saved at 7:45:48 PM, on 11/5/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:D:\WINDOWS\System32\smss.exeD:\WINDOWS\system32\winlogon.exeD:\WINDOWS\system32\services.exeD:\WINDOWS\system32\lsass.exeD:\WINDOWS\System32\Ati2evxx.exeD:\WINDOWS\system32\svchost.exeD:\WINDOWS\System32\svchost.exeD:\WINDOWS\system32\LEXBCES.EXED:\WINDOWS\system32\spoolsv.exeD:\WINDOWS\system32\LEXPPS.EXED:\WINDOWS\system32\Ati2evxx.exeD:\WINDOWS\Explorer.EXED:\WINDOWS\system32\ishost.exeD:\WINDOWS\system32\isnotify.exeD:\WINDOWS\system32\issearch.exeD:\WINDOWS\system32\ismini.exeG:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeD:\Program Files\ipwins\ipwins.exeD:\Program Files\Common Files\{4CC10404-0A21-1033-0628-040403240001}\Update.exeG:\Program Files\Creative\MediaSource\GO\CTCMSGo.exeD:\Program Files\Skype\Phone\Skype.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeD:\WINDOWS\System32\CTSvcCDA.EXED:\WINDOWS\System32\svchost.exeD:\WINDOWS\System32\MsPMSPSv.exeG:\Program Files\Opera\Opera.exeD:\DOCUME~1\Admin\LOCALS~1\Temp\b104.exeD:\HJT\HijackThis.exeO2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - D:\WINDOWS\system32\ixt2.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO4 - HKLM\..\Run: [CTSysVol] g:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [updReg] D:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [ipWins] D:\Program Files\ipwins\ipwins.exeO4 - HKCU\..\Run: [Creative MediaSource Go] G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCBO4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXEO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE Link to post Share on other sites
Dragon Posted November 6, 2006 Report Share Posted November 6, 2006 hi bubba,Give me a sec to research the log and we will get you all cleaned up Link to post Share on other sites
Bubba Bob Posted November 6, 2006 Author Report Share Posted November 6, 2006 Great, thanks Dragon Ive got Sygate fighting them off with sticks right now. Link to post Share on other sites
Dragon Posted November 6, 2006 Report Share Posted November 6, 2006 Please look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.Reboot If I have specified below, and Post a Fresh HijackThis log.O4 - HKLM\..\Run: [ipWins] D:\Program Files\ipwins\ipwins.exeAfter this, Reboot into safe mode (This can be done by tapping F8 while your machine restarts) and Delete the following files:D:\WINDOWS\system32\ishost.exeD:\WINDOWS\system32\isnotify.exeD:\WINDOWS\system32\issearch.exeD:\WINDOWS\system32\ismini.exeD:\Program Files\ipwins\ipwins.exeD:\Program Files\Common Files\{4CC10404-0A21-1033-0628-040403240001}\Update.exeNote: Make sure you have Set Windows to show Hidden Files & Folders before you Start deleting deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.nz/help/0,,4155-1916458,00.html Link to post Share on other sites
Bubba Bob Posted November 6, 2006 Author Report Share Posted November 6, 2006 Logfile of HijackThis v1.99.1Scan saved at 8:34:06 PM, on 11/5/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:D:\WINDOWS\System32\smss.exeD:\WINDOWS\system32\winlogon.exeD:\WINDOWS\system32\services.exeD:\WINDOWS\system32\lsass.exeD:\WINDOWS\System32\Ati2evxx.exeD:\WINDOWS\system32\svchost.exeD:\WINDOWS\System32\svchost.exeD:\Program Files\Sygate\SPF\smc.exeD:\WINDOWS\system32\Ati2evxx.exeD:\WINDOWS\Explorer.EXED:\WINDOWS\system32\LEXBCES.EXED:\WINDOWS\system32\spoolsv.exeD:\WINDOWS\system32\LEXPPS.EXEG:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeG:\Program Files\Creative\MediaSource\GO\CTCMSGo.exeD:\Program Files\Skype\Phone\Skype.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeD:\WINDOWS\System32\CTSvcCDA.EXED:\WINDOWS\System32\svchost.exeD:\WINDOWS\System32\MsPMSPSv.exeG:\Program Files\Opera\Opera.exeD:\WINDOWS\system32\wuauclt.exeD:\HJT\HijackThis.exeO2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - D:\WINDOWS\system32\ixt2.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO4 - HKLM\..\Run: [CTSysVol] g:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [updReg] D:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [smcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKCU\..\Run: [Creative MediaSource Go] G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCBO4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXEO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe Link to post Share on other sites
Dragon Posted November 6, 2006 Report Share Posted November 6, 2006 sorry BubbaBob,I missed one on my previous review,run Hijack This again and check this entry and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.Reboot If I have specified below, and Post a Fresh HijackThis log.O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - D:\WINDOWS\system32\ixt2.dllAfter this, Reboot into safe mode and Delete the following file:D:\WINDOWS\system32\ixt2.dll Link to post Share on other sites
Bubba Bob Posted November 6, 2006 Author Report Share Posted November 6, 2006 Heh, I knew something wasn't quite right.... Clean? Logfile of HijackThis v1.99.1Scan saved at 8:47:28 PM, on 11/5/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:D:\WINDOWS\System32\smss.exeD:\WINDOWS\system32\winlogon.exeD:\WINDOWS\system32\services.exeD:\WINDOWS\system32\lsass.exeD:\WINDOWS\System32\Ati2evxx.exeD:\WINDOWS\system32\svchost.exeD:\WINDOWS\System32\svchost.exeD:\Program Files\Sygate\SPF\smc.exeD:\WINDOWS\system32\LEXBCES.EXED:\WINDOWS\system32\spoolsv.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeD:\WINDOWS\System32\CTSvcCDA.EXED:\WINDOWS\System32\svchost.exeD:\WINDOWS\System32\MsPMSPSv.exeD:\WINDOWS\system32\Ati2evxx.exeD:\WINDOWS\Explorer.EXEG:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exeG:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeD:\WINDOWS\system32\lexpps.exeG:\Program Files\Creative\MediaSource\GO\CTCMSGo.exeD:\Program Files\Skype\Phone\Skype.exeG:\Program Files\Opera\Opera.exeD:\HJT\HijackThis.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO4 - HKLM\..\Run: [CTSysVol] g:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /rO4 - HKLM\..\Run: [updReg] D:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [smcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKCU\..\Run: [Creative MediaSource Go] G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCBO4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXEO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe Link to post Share on other sites
Dragon Posted November 6, 2006 Report Share Posted November 6, 2006 Are you still getting the pop ups that you mentioned earlier?If not, then your system is clean What you had was a version of PurityScan adware installed Link to post Share on other sites
Bubba Bob Posted November 6, 2006 Author Report Share Posted November 6, 2006 None so far, thanks Dragon Link to post Share on other sites
Dragon Posted November 6, 2006 Report Share Posted November 6, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts