Martint Posted February 10, 2006 Report Share Posted February 10, 2006 (edited) Apperently, my sister (a really stupid person, if you ever met her in real life), clicked on those aim link.You know those viruses where like it sends out a message to click here for a picture or something. Ya..and my sister clicked on it and it downloaded a file called picture75.pif...Gah..I hate her so much (no..not just download downloding this shit...but other shit too..gah i hate her)..New HJT log at bottom. Edited February 12, 2006 by sixpacgenius Link to post Share on other sites
bozodog Posted February 11, 2006 Report Share Posted February 11, 2006 Do you mean Avast didn't flag it as bad? Or did she click right past the warning? If that's the case..... she needs her net connection taken away. Link to post Share on other sites
Martint Posted February 11, 2006 Author Report Share Posted February 11, 2006 Wel the thing was that, I wasnt here when clicked the link (I was at school, something she needs to go to).So, I don't know if Avast checked up on it or now.Remember, it's a pif file and when I was reading about them, they can do some nasy shit. Link to post Share on other sites
Besttechie Posted February 12, 2006 Report Share Posted February 12, 2006 Hey,Okay, please download AIMFix from here and run it:http://www.jayloden.com/AIMFix.exeReboot then post a new HJT and let me know how the machine is running.B Link to post Share on other sites
Martint Posted February 12, 2006 Author Report Share Posted February 12, 2006 Thanks besttechie, well Ya, I ran the aim thingy, it deleted some files.But now, I think the virus "came out" today.I got whole bunch of Virus Found!! from alert..etc..ha, some of those things are obvious crap, but I don't want to delete anything until a professioanl tell me to do so.Logfile of HijackThis v1.99.1Scan saved at 3:54:00 PM, on 2/12/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeF:\FileServer\bin\stable\apache\apache.exeC:\WINDOWS\bouqfipA.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\MsPMSPSv.exeF:\FileServer\bin\stable\hmailserver\bin\hMailServer.exeF:\FileServer\bin\stable\apache\apache.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\Program Files\HIJackThis\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comO2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dllO2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dllO3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dllO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [bouqfipA] C:\WINDOWS\bouqfipA.exeO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htmO8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htmO8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htmO8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)O10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132706573187O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cabO16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CABO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{8B0CBF08-6BCD-496F-84BA-8EB045646433}: NameServer = 68.87.68.162,68.87.74.162O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache - Unknown owner - F:\FileServer\bin\stable\apache\apache.exe" -k runservice (file missing)O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - F:\NetServer\bin\stable\filezilla\Filezilla Server.exe (file missing)O23 - Service: hMailServer - hMailServer - F:\FileServer\bin\stable\hmailserver\bin\hMailServer.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe Link to post Share on other sites
Besttechie Posted February 12, 2006 Report Share Posted February 12, 2006 Ok, can you download it again - run it, reboot, post me the aimfix log and a new HJT log. It was updated yesterday, so we'll see. B Link to post Share on other sites
Martint Posted February 12, 2006 Author Report Share Posted February 12, 2006 Well, I ran the AIMFIX and HJT 10 miutes ago.I already posted the HJT LOgHere is the AimFIX logAIMFix version: 1.5.211.2244SeDebug Privilege set successfully***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***ServiceExists(): Found service msdirectxFU rootkit detected!AIMFix set to run at startup in RunOnceServiceExists(): Found service msdirectxStopService(): failed on call to ControlService() for "msdirectx": The service has not been started.Service msdirectx successfully disabledService msdirectx successfully deletedReboot requested by userServiceExists(): Found service lsassStopService(): failed on call to ControlService() for "lsass": The requested control is not valid for this service.Service lsass successfully disabledService lsass successfully deletedServiceExists(): Found service Windows Overlay ComponentsService Windows Overlay Components successfully stoppedService Windows Overlay Components successfully disabledService Windows Overlay Components successfully deletedFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\susseFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\susseRemoved HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\susseFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsysupdFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsysupdRemoved HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsysupdC:\windows\winsysupd7.exe quarantinedFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gimmygamesFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gimmygamesRemoved HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gimmygamesC:\\gimmygames.exe quarantinedFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsysbanFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsysbanRemoved HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsysbanKillProcByName(): Process C:\windows\winsysban7.exe found, PID of 252KillProcByName(): C:\windows\winsysban7.exe successfully terminated.C:\windows\winsysban7.exe quarantinedC:\ucmoreiex.exe found, attempting to remove...C:\ucmoreiex.exe quarantinedC:\WINDOWS\gimmygames.exe found, attempting to remove...C:\WINDOWS\gimmygames.exe quarantinedC:\WINDOWS\scvhost.exe found, attempting to remove...KillProcByName(): Process C:\WINDOWS\scvhost.exe found, PID of 1392KillProcByName(): C:\WINDOWS\scvhost.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\scvhost.exe found, PID of 1392KillProcByName(): C:\WINDOWS\scvhost.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\scvhost.exe found, PID of 1392KillProcByName(): C:\WINDOWS\scvhost.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\scvhost.exe found, PID of 1392KillProcByName(): C:\WINDOWS\scvhost.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\scvhost.exe found, PID of 1392KillProcByName(): C:\WINDOWS\scvhost.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\scvhost.exe found, PID of 1392KillProcByName(): C:\WINDOWS\scvhost.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\scvhost.exe found, PID of 1392KillProcByName(): C:\WINDOWS\scvhost.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\scvhost.exe found, PID of 1392KillProcByName(): C:\WINDOWS\scvhost.exe successfully terminated.C:\WINDOWS\scvhost.exe quarantinedC:\WINDOWS\system32\wgse.exe found, attempting to remove...KillProcByName(): Process C:\WINDOWS\system32\wgse.exe found, PID of 1352KillProcByName(): C:\WINDOWS\system32\wgse.exe successfully terminated.C:\WINDOWS\system32\wgse.exe quarantinedC:\WINDOWS\system32\hpsw.exe found, attempting to remove...KillProcByName(): Process C:\WINDOWS\system32\hpsw.exe found, PID of 316KillProcByName(): C:\WINDOWS\system32\hpsw.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\system32\hpsw.exe found, PID of 316KillProcByName(): C:\WINDOWS\system32\hpsw.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\system32\hpsw.exe found, PID of 316KillProcByName(): C:\WINDOWS\system32\hpsw.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\system32\hpsw.exe found, PID of 316KillProcByName(): C:\WINDOWS\system32\hpsw.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\system32\hpsw.exe found, PID of 316KillProcByName(): C:\WINDOWS\system32\hpsw.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\system32\hpsw.exe found, PID of 316KillProcByName(): C:\WINDOWS\system32\hpsw.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\system32\hpsw.exe found, PID of 316KillProcByName(): C:\WINDOWS\system32\hpsw.exe successfully terminated.KillProcByName(): Process C:\WINDOWS\system32\hpsw.exe found, PID of 316KillProcByName(): C:\WINDOWS\system32\hpsw.exe successfully terminated.C:\WINDOWS\system32\hpsw.exe quarantinedProfile for acow edited to remove possible virus code.Profile for freshrice678 edited to remove possible virus code.Profile for itsme3130 edited to remove possible virus code.Profile for lightlessgenius edited to remove possible virus code.Profile for ostrianiel edited to remove possible virus code.Profile for pmpkn84 edited to remove possible virus code.Profile for purplegenius edited to remove possible virus code.Profile for recent IM ScreenNames edited to remove possible virus code.Profile for redchaman edited to remove possible virus code.Profile for sixpacgenius edited to remove possible virus code.Profile for sixpacgenius1 edited to remove possible virus code.Profile for sixpacgenius5 edited to remove possible virus code.Profile for sixpacgenius6 edited to remove possible virus code.Profile for sumyth81 edited to remove possible virus code.***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***----------------------------------------------------------AIMFix version: 1.5.211.2244SeDebug Privilege set successfully***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***Found HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\susseFound HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\susseRemoved HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\susse***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***----------------------------------------------------------AIMFix version: 1.5.211.2244SeDebug Privilege set successfully***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW******RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***---------------------------------------------------------- Link to post Share on other sites
Besttechie Posted February 12, 2006 Report Share Posted February 12, 2006 Ok, go to add/remove programs and uninstall NewdotNet, reboot, post a new HJT Log.B Link to post Share on other sites
Martint Posted February 12, 2006 Author Report Share Posted February 12, 2006 Here Ya goLogfile of HijackThis v1.99.1Scan saved at 5:06:10 PM, on 2/12/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\bouqfipA.exeC:\WINDOWS\system32\ctfmon.exeF:\FileServer\bin\stable\apache\apache.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\MsPMSPSv.exeF:\FileServer\bin\stable\hmailserver\bin\hMailServer.exeF:\FileServer\bin\stable\apache\apache.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\HIJackThis\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Alwil Software\Avast4\setup\avast.setupR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comO2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dllO3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dllO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [bouqfipA] C:\WINDOWS\bouqfipA.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htmO8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htmO8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htmO8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132706573187O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cabO16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CABO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{8B0CBF08-6BCD-496F-84BA-8EB045646433}: NameServer = 68.87.68.162,68.87.74.162O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache - Unknown owner - F:\FileServer\bin\stable\apache\apache.exe" -k runservice (file missing)O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - F:\NetServer\bin\stable\filezilla\Filezilla Server.exe (file missing)O23 - Service: hMailServer - hMailServer - F:\FileServer\bin\stable\hmailserver\bin\hMailServer.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe Link to post Share on other sites
Besttechie Posted February 12, 2006 Report Share Posted February 12, 2006 Ok, close all windows except HJT and have it fix the following:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.comO2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dllO3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dllO4 - HKLM\..\Run: [bouqfipA] C:\WINDOWS\bouqfipA.exeO18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dllO23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)Then reboot into safe mode:http://besttechie.net/content/view/20/32/ <-- How to boot to safe modeFrom safe mode delete the following file(s) and/or folder(s) in red (if present)C:\WINDOWS\bouqfipA.exe <-- delete the fileThen reboot into normal mode and post a new HJT log.Good luck! B Link to post Share on other sites
Martint Posted February 12, 2006 Author Report Share Posted February 12, 2006 (edited) There ya go!btw, I had some files that I think were related to this virus.I deleted them.http://img374.imageshack.us/img374/2310/be...hievirus2jp.jpgAll the the files in here are from my C:\ and the folder was in my C:\Program Files.Logfile of HijackThis v1.99.1Scan saved at 5:44:55 PM, on 2/12/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEF:\FileServer\bin\stable\apache\apache.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\MsPMSPSv.exeF:\FileServer\bin\stable\apache\apache.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\HIJackThis\HijackThis.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htmO8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htmO8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htmO8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132706573187O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cabO16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CABO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{8B0CBF08-6BCD-496F-84BA-8EB045646433}: NameServer = 68.87.68.162,68.87.74.162O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache - Unknown owner - F:\FileServer\bin\stable\apache\apache.exe" -k runservice (file missing)O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - F:\NetServer\bin\stable\filezilla\Filezilla Server.exe (file missing)O23 - Service: hMailServer - hMailServer - F:\FileServer\bin\stable\hmailserver\bin\hMailServer.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe Edited February 12, 2006 by sixpacgenius Link to post Share on other sites
Besttechie Posted February 13, 2006 Report Share Posted February 13, 2006 Looks clean! Still having any problems? How's the machine running? Please take a moment to read the following advice:The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.SpywareBlaster - Great prevention tool to keep nasties from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony KleinB Link to post Share on other sites
Martint Posted February 13, 2006 Author Report Share Posted February 13, 2006 Everything goin good.Btw, I do use Trillian, but my sisters use AIM. Link to post Share on other sites
Besttechie Posted February 13, 2006 Report Share Posted February 13, 2006 That's cool. Trillian is nice I use it as well. AIM is fine too, just it seems it's getting more bloated at the least the trinitron (however it's spelt) version is mega bloated. Btw, if you click on one of those links in Trillian you can still get infected, so no matter what be careful. Glad everything is going good. Happy surfing! Tell your system to be careful when she gets IM's from friends, the same thing happened to my brothers and I had to clean up their machines too. B Link to post Share on other sites
Besttechie Posted February 13, 2006 Report Share Posted February 13, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts