Still in need of Assistance

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dlogic, Feb 27, 2006.

  1. dlogic

    dlogic Private E-2

    Greetings.

    I followed all the steps on the "Read and Run Me First..." Stickie at least three times to try to completely clean my PC but still getting a rediculous amount of pop-up ads.

    Also, I can't seem to delete guard.tmp - which bitdefender identifies as a malicious file.

    Any help will be appreciated. my Hijackthis and Bit Defender logs arre attached.
     

    Attached Files:

    dlogic, Feb 27, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MGs!

    You have a Look 2 Me infection and some other problems too. Let's take care of Look 2 Me and a few others by running the steps in the below link. Make sure you attach the spysweeper.txt log when finished.

    Running Spy Sweeper

    Also please read step 7 of the READ & RUN ME again and get HijackThis install properly.
     
    chaslang, Feb 27, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I now see part of the reason you are so badly infected. Your OS & IE versions are WAY out of date. You must get updated after we fix all of your problems (and you have a lot of problems).
     
    chaslang, Feb 27, 2006
    #3
  4. dlogic

    dlogic Private E-2

    Here are the Spy Sweeper and HijackThis log files...HOWEVER... the directions say to save the file in the default .log extension but when I ran HijackThis - it automatically created a .txt file. I tried to see where I could change the setting but couldn't find any such setting.

    Also, I had to zip the spy Sweeper logfile to make it small enough to be uploaded.
     

    Attached Files:

    dlogic, Feb 27, 2006
    #4
  5. dlogic

    dlogic Private E-2

    Question... as of now, I have Microsoft AntiSpyware, Webroot SpySweeper (trial version), and AVG antivirus (free version) all running simultaneously to prevent malware. Should all of these be running simultaneously?

    And since I'm using AVG, do I need to delete Norton - even though I disabled it?
     
    dlogic, Feb 27, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No it did not. It created a log file. You renamed (added the .txt) extension yourself. If you follow the directions in the link given it explains all of this to you. However you keep skipping these instructions and thus STILL have HijackThis install incorrectly. You have it exactly where we indicate it should not be installed. You must fix this before we can continue to fix your problems.

    Did you notice that SpySweeper found27067 traces of malware on your PC?
     
    Last edited: Feb 27, 2006
    chaslang, Feb 27, 2006
    #6
  7. dlogic

    dlogic Private E-2

    Okay...

    I have followed the directions EXACTLY as stated. Hijackthis now resides in C:\Program Files\HJT. Attached is what it created.
     

    Attached Files:

    dlogic, Feb 27, 2006
    #7
  8. dlogic

    dlogic Private E-2

    I GREATLY appreciate the help... but maybe a bit of clarification is needed in the hijackthis intruction that says:

    "Run a scan with HijackThis and save your log file to the default .log extension type"

    For a novice like myself, how would I know that HJT does this automatically? I was trying to literally do what it says... "save the log file to the default .log extension type" when in actuality - if you attempt to save the file yourself (at least on my machine) it will give the file the .txt extension and your directions don't speak to this. I had no idea - and nothing indicated - that once you run HJT, it automatically creates and saves a log file in the folder.

    :confused: This might have saved me a good 30-40 minutes since I kept re-running HJT and attempted to create the file with a .log extension.

    Just a little feedback.
     
    dlogic, Feb 27, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry I will look into editing the instructions it used to give more specific details in that area but somewhere along the line they were removed. All you have to do is select Save as rather than Save and then change the Save as type to All files Then you just name the file anything you want with a .log extension. And this way it will not default to adding the .txt extension. This is a standard Windows practice.

    You skipped step 3 of the READ AND RUN ME. You have AVG and Symantec antivirus applications installed. You must pick the one you prefer and uninstall the other.
     
    chaslang, Feb 27, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After uninstalling one of your Antivirus applications, continue with the below. DO NOT do the below until one of them is uninstalled.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: (no name) - {0032CCFA-D80B-DABE-C53B-7E94CD4E0B9D} - (no file)
    O2 - BHO: (no name) - {007430E2-88D1-986B-566D-510B4B345BB4} - (no file)
    O2 - BHO: (no name) - {01C6CDF5-AA54-D057-9086-211EEA30E063} - (no file)
    O2 - BHO: (no name) - {029073B0-66F6-D9B0-C24F-8F8330D53834} - (no file)
    O2 - BHO: (no name) - {0B6346C5-DEFF-CDDA-A198-FC964A6CD089} - (no file)
    O2 - BHO: (no name) - {0FD7B4B2-8EE8-9CEC-16FA-5FD03BD478AF} - (no file)
    O2 - BHO: (no name) - {1388EC0B-5C16-E709-791A-FC681D230D85} - (no file)
    O2 - BHO: (no name) - {13DBCABB-FD7C-1611-67C2-375DB0BAA138} - (no file)
    O2 - BHO: (no name) - {150E4300-73A1-8F6B-0647-0DFBD1CD1D3E} - (no file)
    O2 - BHO: (no name) - {17369CB5-1A08-D258-AC3A-455DB4D4A3C5} - (no file)
    O2 - BHO: (no name) - {1A73479F-2785-CF6C-EAB8-9261C8D3F612} - (no file)
    O2 - BHO: (no name) - {1D1E79E2-9563-DB05-0B53-8CBA80E13F84} - (no file)
    O2 - BHO: (no name) - {202DAC62-070A-52D5-F993-6D64D764A5EA} - (no file)
    O2 - BHO: (no name) - {209F8E8B-6292-6C42-3CE2-9DCDECC213E7} - (no file)
    O2 - BHO: (no name) - {2275995B-15F0-C2B0-07AC-7736536CD351} - (no file)
    O2 - BHO: (no name) - {23456A5B-81B1-B867-389A-B86F961B8573} - (no file)
    O2 - BHO: (no name) - {2561A6C5-A683-37DB-E4F6-EFF573BDA653} - (no file)
    O2 - BHO: (no name) - {26AF2504-EB9F-264B-EFD0-3BD844B41007} - (no file)
    O2 - BHO: (no name) - {29E7FFD8-E6A5-9FCB-ED6E-4AAE63F4CAE9} - (no file)
    O2 - BHO: (no name) - {2C1A5DA8-315A-58D1-573D-06F3C41DC9AD} - (no file)
    O2 - BHO: (no name) - {2CDE04BE-5087-9425-8043-F24037206477} - (no file)
    O2 - BHO: (no name) - {2D6F49E5-6765-80D7-88D4-C008831674C9} - (no file)
    O2 - BHO: (no name) - {2ECE8A5F-7B88-0E3A-7B26-178AA424B2CF} - (no file)
    O2 - BHO: (no name) - {306F5457-7D91-AF4A-3EA2-83DEDA7461BE} - (no file)
    O2 - BHO: (no name) - {30C15F1B-B902-8769-7E97-07B632351674} - (no file)
    O2 - BHO: (no name) - {30DB6634-B7DB-87F8-0079-AD02CC8BB436} - (no file)
    O2 - BHO: (no name) - {32031145-35FF-0F33-A15E-1C507C395C70} - (no file)
    O2 - BHO: (no name) - {337FF6C9-012E-7DC8-7A9A-9E239C2F78FA} - (no file)
    O2 - BHO: (no name) - {38F792AB-B858-758A-2C0D-9E15109055B9} - (no file)
    O2 - BHO: (no name) - {3DF9FEA0-C07D-4604-D880-979D7BAA3C8F} - (no file)
    O2 - BHO: (no name) - {4042A8E0-BAA2-710A-F824-37FCA490315F} - (no file)
    O2 - BHO: (no name) - {42633BCC-78BC-7B57-98A9-4FA18D2B6EAC} - (no file)
    O2 - BHO: (no name) - {456A683C-2EFD-6989-F755-F01E8A079425} - (no file)
    O2 - BHO: (no name) - {456A6CEE-8316-4A72-DFA8-73971797E2FD} - (no file)
    O2 - BHO: (no name) - {47AEE64C-5AEA-4ED8-103A-64D56785E44D} - (no file)
    O2 - BHO: (no name) - {47F1A18E-4D68-80F1-6BBB-16B984AC80ED} - (no file)
    O2 - BHO: (no name) - {49131BF8-B481-A120-9036-48F6347DFAFF} - (no file)
    O2 - BHO: (no name) - {4CAD1D59-4787-6BFE-F9AD-29CCF1EAB9DB} - (no file)
    O2 - BHO: (no name) - {52A8264D-86BD-7D86-FC72-2B24B0624D50} - (no file)
    O2 - BHO: (no name) - {5516BFA5-EE96-EDEC-25BE-662B5516C656} - (no file)
    O2 - BHO: (no name) - {557B24FE-EC36-4055-E50D-992D8DEFF9A7} - (no file)
    O2 - BHO: (no name) - {55A1824A-46C9-FB34-DF74-C122BEDC7F1F} - (no file)
    O2 - BHO: (no name) - {59658A25-7B74-EDCF-F455-A75FF0E4C8BE} - (no file)
    O2 - BHO: (no name) - {5AE85150-CC38-B626-9067-463150E44F68} - (no file)
    O2 - BHO: (no name) - {5F101202-11AE-81D3-D484-0354226D02AE} - (no file)
    O2 - BHO: (no name) - {5FF0D81A-2868-9B2D-7596-9078825C8E9F} - (no file)
    O2 - BHO: (no name) - {63ED29DA-0AA4-8484-8768-CA30115061DE} - (no file)
    O2 - BHO: (no name) - {66BE36B4-FD1C-B850-4827-ECA932D53C44} - (no file)
    O2 - BHO: (no name) - {680063F8-9C08-F513-E8BC-9CAA02FD0EFB} - (no file)
    O2 - BHO: (no name) - {6852B58E-D52B-C38B-9B29-8D1BFBEB32E0} - (no file)
    O2 - BHO: (no name) - {6CF47B51-7061-F4AB-C521-9ABDA8D3EB85} - (no file)
    O2 - BHO: (no name) - {6E145A17-7143-A789-035E-9656AA2D5338} - (no file)
    O2 - BHO: (no name) - {72A9B624-8C5D-2A66-F77F-2A9004EE69D5} - (no file)
    O2 - BHO: (no name) - {72D547E6-2CB4-00E7-AE5A-F764C963AC20} - (no file)
    O2 - BHO: (no name) - {73A137E3-16AA-E19B-E2FC-BA6992E4EC3A} - (no file)
    O2 - BHO: (no name) - {75E70B31-4E2B-4CAC-01CF-66A22B2AADFA} - (no file)
    O2 - BHO: (no name) - {7621039D-911B-1A3D-343B-0F72B58EF21C} - (no file)
    O2 - BHO: (no name) - {78D4C8D4-B5A0-4883-C6D7-F97D04BE0876} - (no file)
    O2 - BHO: (no name) - {7ACBE2D5-4846-C94A-4098-7B48F7AD2845} - (no file)
    O2 - BHO: (no name) - {7B4A1389-49FB-707C-A673-D7AF81767AD4} - (no file)
    O2 - BHO: (no name) - {7B91F7AF-BCF6-ADE3-72D6-6522B90707AA} - (no file)
    O2 - BHO: (no name) - {7C3F5115-13B8-F3E5-3A5F-4F6BD2411BED} - (no file)
    O2 - BHO: (no name) - {7D6BFD31-52A5-44A7-6A16-E14766D2A648} - (no file)
    O2 - BHO: (no name) - {7E66ED98-8800-EB82-57FD-D8488261A8F1} - (no file)
    O2 - BHO: (no name) - {8044BFB2-40EC-C70A-C711-736B0EE1248F} - (no file)
    O2 - BHO: (no name) - {80A686BC-5BA5-E5AC-6039-C44B4E0E4D4E} - (no file)
    O2 - BHO: (no name) - {80F949A5-D3FD-5957-AEE9-25B6BCB9CE57} - (no file)
    O2 - BHO: (no name) - {81C4026E-2E5E-88DC-7B26-44B223181EC2} - (no file)
    O2 - BHO: (no name) - {81C8B002-E341-A0E2-D75A-49D627E588C6} - (no file)
    O2 - BHO: (no name) - {8211EE7E-4833-3C69-7310-EE10B33933C3} - (no file)
    O2 - BHO: (no name) - {8499E75E-1EBB-BCDC-0322-32C871231766} - (no file)
    O2 - BHO: (no name) - {89AD1952-81D3-510D-278A-AD565369AC73} - (no file)
    O2 - BHO: (no name) - {92093452-29D6-C992-7CF2-E45692D46C2B} - (no file)
    O2 - BHO: (no name) - {93085E2C-F796-FBA5-FA72-61E7A897B4A4} - (no file)
    O2 - BHO: (no name) - {94B08B34-C38D-5BA7-55AC-D47C6A68C5E3} - (no file)
    O2 - BHO: (no name) - {96238F7D-6165-13E6-0307-788481765169} - (no file)
    O2 - BHO: (no name) - {96F3C2D7-B4E5-1EEB-30E7-FF9AA0CD064E} - (no file)
    O2 - BHO: (no name) - {977A72CC-2C3D-1ED8-AC44-BB18BD9FD478} - (no file)
    O2 - BHO: (no name) - {9A7083BD-566F-B299-344C-47ABCAB6F765} - (no file)
    O2 - BHO: (no name) - {9A8B99A7-1546-27CF-9FA1-CDE07BAAF512} - (no file)
    O2 - BHO: (no name) - {9ACA1819-E278-D81D-4318-5EBA73955C06} - (no file)
    O2 - BHO: (no name) - {9E10CB8A-457E-4B30-7567-53BB935E405C} - (no file)
    O2 - BHO: (no name) - {A006325B-CDDD-9214-0C39-240125681B78} - (no file)
    O2 - BHO: (no name) - {A21EB7C4-13E9-BD64-FCEC-35F1D630907B} - (no file)
    O2 - BHO: (no name) - {A2570630-ECF2-BF6A-C8EA-509D56913F46} - (no file)
    O2 - BHO: (no name) - {A52C7D9D-ECE6-E7DB-4A98-9F196536545A} - (no file)
    O2 - BHO: (no name) - {A53B81A4-121C-9B12-66C9-1682EDD91082} - (no file)
    O2 - BHO: (no name) - {A6A72853-4880-292D-E38B-ED53B83902B8} - (no file)
    O2 - BHO: (no name) - {AAEAF0EF-4CCD-6801-830D-30AC3AB7C39B} - (no file)
    O2 - BHO: (no name) - {AE33961D-B5C6-86A4-3C72-DBA3BBD317B9} - (no file)
    O2 - BHO: (no name) - {AF847AFA-7C36-11C8-DB41-199055BB86B2} - (no file)
    O2 - BHO: (no name) - {B1EBC237-3650-5E5C-6534-F15F6F9B3DC7} - (no file)
    O2 - BHO: (no name) - {B1F77A96-5E35-5709-3B9E-002879409256} - (no file)
    O2 - BHO: (no name) - {B280B70B-64B0-0B30-6A07-D1CBCF4A5E67} - (no file)
    O2 - BHO: (no name) - {B4A7D9ED-89B3-E958-4A80-16026C986728} - (no file)
    O2 - BHO: (no name) - {B58B9B1C-55D9-1746-5D04-4AD3FEBB33BE} - (no file)
    O2 - BHO: (no name) - {B9D8F539-A482-80D6-A177-1BFD24DCE7E1} - (no file)
    O2 - BHO: (no name) - {BAECFF6A-2CC0-095A-0883-1BA36541C515} - (no file)
    O2 - BHO: (no name) - {BEF0FEBD-F78A-41EC-772B-449A98822845} - (no file)
    O2 - BHO: (no name) - {C1788B98-5234-5C51-33A4-D4E4597F4E13} - (no file)
    O2 - BHO: (no name) - {C6CC3C8F-278A-F9FE-34FA-2D452EE42825} - (no file)
    O2 - BHO: (no name) - {C9927A71-926F-63DD-BAF8-F1DFAA3A18E5} - (no file)
    O2 - BHO: (no name) - {CDE15148-1931-763A-4302-5413232D3E7F} - (no file)
    O2 - BHO: (no name) - {CE2A9DCD-CC21-E736-906F-ADD61A166985} - (no file)
    O2 - BHO: (no name) - {CF295B84-1F3D-A13C-944E-90632373707E} - (no file)
    O2 - BHO: (no name) - {CFDEB6BB-4980-2884-B033-3D35E75B60FA} - (no file)
    O2 - BHO: (no name) - {D0092D6F-9A27-013B-CDD5-2A7FC6907D07} - (no file)
    O2 - BHO: (no name) - {D0FBF74D-9290-E0B6-3227-C3AA0121D284} - (no file)
    O2 - BHO: (no name) - {D15B880A-A0B5-77A6-C441-CC0784878A9A} - (no file)
    O2 - BHO: (no name) - {D1A1BD55-7743-8294-8D26-9D9D77FF49D8} - (no file)
    O2 - BHO: (no name) - {D317FD4A-8BEC-5C0E-90F8-92A748A8F4B6} - (no file)
    O2 - BHO: (no name) - {D54F6CB9-5429-9A95-7B59-D291228E70B8} - (no file)
    O2 - BHO: (no name) - {D83BDA67-495F-DD27-4634-7E43FDC68512} - (no file)
    O2 - BHO: (no name) - {D84A8F90-EC0E-9625-B9C0-E5ABA6848F53} - (no file)
    O2 - BHO: (no name) - {DB29A986-131A-F212-4C89-18F9E42C205A} - (no file)
    O2 - BHO: (no name) - {DF68EA3F-353B-2006-149E-B74E2F05DCBC} - (no file)
    O2 - BHO: (no name) - {E6785457-E898-DCC4-A0FE-CF492E741DF7} - (no file)
    O2 - BHO: (no name) - {E75E8B80-0901-AC5A-6453-3114563FF460} - (no file)
    O2 - BHO: (no name) - {E8672AC7-8611-4002-4486-F4856A5C2E37} - (no file)
    O2 - BHO: (no name) - {E9125959-C0B8-678A-E0B8-139867622A9B} - (no file)
    O2 - BHO: (no name) - {EB89FF78-6995-6005-FCF8-77C3B8169E72} - (no file)
    O2 - BHO: (no name) - {EDA6D516-33B7-258C-7426-9D5699E6B02B} - (no file)
    O2 - BHO: (no name) - {EE35146E-A15F-DDF3-38CA-8A25A2412353} - (no file)
    O2 - BHO: (no name) - {EE37178B-E57C-4045-A483-E895595C72A5} - (no file)
    O2 - BHO: (no name) - {F22ABCC8-DA46-6EFF-B0D2-2B1D0647AB7A} - (no file)
    O2 - BHO: (no name) - {F573A15E-4E08-2CE8-1F75-3F0D794E2E42} - (no file)
    O2 - BHO: (no name) - {F699347E-F69C-BC1B-8D16-4CC14C18FA74} - (no file)
    O2 - BHO: (no name) - {F74E38A1-4326-11A0-788D-D4B7F18E0B7E} - (no file)
    O2 - BHO: (no name) - {F78C8767-D7AA-B6F9-7220-5FF80088C727} - (no file)
    O2 - BHO: (no name) - {F9DB070D-5394-0723-F5DA-646C713E9FE2} - (no file)
    O2 - BHO: (no name) - {FD00640A-25C5-1166-CC13-F7669822B594} - (no file)
    O2 - BHO: (no name) - {FDD2AC6A-B7E4-6D04-F3CF-9A9B7D9CE11A} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - blank (file missing)
    O4 - HKLM\..\Run: [xSpyware] C:\Program Files\xSpyware\xSpyware.Exe
    O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [SIMRT16M] C:\WINDOWS\System32\SIMRT16M.exexe"
    O4 - HKLM\..\Run: [qs4O36X] sqlquota.exe
    O4 - HKLM\..\Run: [qcegxoafrro] C:\WINDOWS\System32\tkfayal.exe
    O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\B\LOCALS~1\Temp\app4.tmp
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [oqwizkkfajty] C:\WINDOWS\System32\tkfayal.exe
    O4 - HKLM\..\Run: [oisen] C:\WINDOWS\System32\oisen.exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe
    O4 - HKLM\..\Run: [jV] C:\documents and settings\b\local settings\temp\jV.exe
    O4 - HKLM\..\Run: [jnodvc] C:\WINDOWS\System32\jnodvc.exe
    O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
    O4 - HKLM\..\Run: [j] C:\documents and settings\b\local settings\temp\j.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [G] C:\documents and settings\b\local settings\temp\G.exe
    O4 - HKLM\..\Run: [ctmoviea] C:\WINDOWS\System32\ctmoviea.exe
    O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
    O4 - HKLM\..\Run: [6r5mME] C:\documents and settings\b\local settings\temp\6r5mME.exe
    O4 - HKLM\..\Run: [4R7ST@T3G3TN5F] C:\WINDOWS\System32\OjqN0Y44.exe
    O4 - HKCU\..\Run: [Wcwo] C:\Documents and Settings\B\Application Data\pune.exe
    O4 - HKCU\..\Run: [Rgbqu] C:\WINDOWS\System32\??plorer.exe
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [bBvERWbpQ] srsnfiles.exe
    O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\e6202gfmg62a2.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    c:\installer\id53.exe
    C:\Program Files\xSpyware <-- delete the whole folder
    C:\Program Files\zSearch <-- delete the whole folder
    C:\Program Files\Common Files\WinTools <-- delete the whole folder
    C:\Program Files\VVSN <-- delete the whole folder
    C:\Program Files\MYDAIL~1 <--- delete the whole MyDailyHoroscope folder
    C:\Program Files\CLOCKS~1 <--- delete the whole ClockSync folder
    C:\Documents and Settings\B\Application Data\pune.exe
    C:\documents and settings\b\local settings\temp\6r5mME.exe <--- actually delete all files in this temp folder
    C:\documents and settings\b\local settings\temp\G.exe
    C:\documents and settings\b\local settings\temp\j.exe
    C:\documents and settings\b\local settings\temp\jV.exe
    C:\Documents and Settings\B\local settings\Temp\app4.tmp
    C:\WINDOWS\aqadcup.exe
    C:\WINDOWS\wupdt.exe
    C:\WINDOWS\jawa32.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\WINDOWS\System32\SIMRT16M.exe
    C:\WINDOWS\System32\sqlquota.exe
    C:\WINDOWS\System32\tkfayal.exe
    C:\WINDOWS\System32\tkfayal.exe
    C:\WINDOWS\System32\oisen.exe
    C:\WINDOWS\System32\cvss.exe
    C:\WINDOWS\System32\jnodvc.exe
    C:\WINDOWS\System32\idctup20.exe
    C:\WINDOWS\System32\ctmoviea.exe
    C:\WINDOWS\System32\OjqN0Y44.exe
    C:\WINDOWS\System32\srsnfiles.exe
    C:\WINDOWS\system32\e6202gfmg62a2.dll
    C:\WINDOWS\System32\??plorer.exe <--- this will more than like be explorer.exe. Only delete the one in system32!!!

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 28, 2006
    #10
  11. dlogic

    dlogic Private E-2

    Here is the newest HJT log. The computer seems to be moving faster, although the speed was never the real issue. Spy Sweeper is running and keeps blocking pop ups or access to www.a-d-w-a-r-e.com (dashes are part of actual url). Also, the hijacked homepage is fixed. it actually has what I set as the homepage.

    I deleted Norton... now - should AVG, Microsoft Anti Spyware and Spy Sweeper all be running at the same time? Any conflict here and are they all necessary?

    Lastly, many of the entries on the hijack this log you said to fix, and many of the files you said to delete were not there when I went in to follow your directions.
     

    Attached Files:

    dlogic, Feb 28, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's because you are still infected with a Look 2 Me infection that was not completely removed. Probably because of how badly you were infected. We'll get there eventually.

    Well get to this later. But AVG is an antivirus application not an antispyware application like the other two.


    But you still have ALL the O2 BHO lines in your log. Shut down both MS Antispyware and SpySweeper (don't uninstall - just shut them down using the icon in the system tray).

    Then run HJT and fix all the below lines and then attach a new log. Make sure that ALL browsers are closed before clicking fix or it will not work:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {0032CCFA-D80B-DABE-C53B-7E94CD4E0B9D} - (no file)
    O2 - BHO: (no name) - {007430E2-88D1-986B-566D-510B4B345BB4} - (no file)
    O2 - BHO: (no name) - {01C6CDF5-AA54-D057-9086-211EEA30E063} - (no file)
    O2 - BHO: (no name) - {029073B0-66F6-D9B0-C24F-8F8330D53834} - (no file)
    O2 - BHO: (no name) - {0B6346C5-DEFF-CDDA-A198-FC964A6CD089} - (no file)
    O2 - BHO: (no name) - {0FD7B4B2-8EE8-9CEC-16FA-5FD03BD478AF} - (no file)
    O2 - BHO: (no name) - {1388EC0B-5C16-E709-791A-FC681D230D85} - (no file)
    O2 - BHO: (no name) - {13DBCABB-FD7C-1611-67C2-375DB0BAA138} - (no file)
    O2 - BHO: (no name) - {150E4300-73A1-8F6B-0647-0DFBD1CD1D3E} - (no file)
    O2 - BHO: (no name) - {17369CB5-1A08-D258-AC3A-455DB4D4A3C5} - (no file)
    O2 - BHO: (no name) - {1A73479F-2785-CF6C-EAB8-9261C8D3F612} - (no file)
    O2 - BHO: (no name) - {1D1E79E2-9563-DB05-0B53-8CBA80E13F84} - (no file)
    O2 - BHO: (no name) - {202DAC62-070A-52D5-F993-6D64D764A5EA} - (no file)
    O2 - BHO: (no name) - {209F8E8B-6292-6C42-3CE2-9DCDECC213E7} - (no file)
    O2 - BHO: (no name) - {2275995B-15F0-C2B0-07AC-7736536CD351} - (no file)
    O2 - BHO: (no name) - {23456A5B-81B1-B867-389A-B86F961B8573} - (no file)
    O2 - BHO: (no name) - {2561A6C5-A683-37DB-E4F6-EFF573BDA653} - (no file)
    O2 - BHO: (no name) - {26AF2504-EB9F-264B-EFD0-3BD844B41007} - (no file)
    O2 - BHO: (no name) - {29E7FFD8-E6A5-9FCB-ED6E-4AAE63F4CAE9} - (no file)
    O2 - BHO: (no name) - {2C1A5DA8-315A-58D1-573D-06F3C41DC9AD} - (no file)
    O2 - BHO: (no name) - {2CDE04BE-5087-9425-8043-F24037206477} - (no file)
    O2 - BHO: (no name) - {2D6F49E5-6765-80D7-88D4-C008831674C9} - (no file)
    O2 - BHO: (no name) - {2ECE8A5F-7B88-0E3A-7B26-178AA424B2CF} - (no file)
    O2 - BHO: (no name) - {306F5457-7D91-AF4A-3EA2-83DEDA7461BE} - (no file)
    O2 - BHO: (no name) - {30C15F1B-B902-8769-7E97-07B632351674} - (no file)
    O2 - BHO: (no name) - {30DB6634-B7DB-87F8-0079-AD02CC8BB436} - (no file)
    O2 - BHO: (no name) - {32031145-35FF-0F33-A15E-1C507C395C70} - (no file)
    O2 - BHO: (no name) - {337FF6C9-012E-7DC8-7A9A-9E239C2F78FA} - (no file)
    O2 - BHO: (no name) - {38F792AB-B858-758A-2C0D-9E15109055B9} - (no file)
    O2 - BHO: (no name) - {3DF9FEA0-C07D-4604-D880-979D7BAA3C8F} - (no file)
    O2 - BHO: (no name) - {4042A8E0-BAA2-710A-F824-37FCA490315F} - (no file)
    O2 - BHO: (no name) - {42633BCC-78BC-7B57-98A9-4FA18D2B6EAC} - (no file)
    O2 - BHO: (no name) - {456A683C-2EFD-6989-F755-F01E8A079425} - (no file)
    O2 - BHO: (no name) - {456A6CEE-8316-4A72-DFA8-73971797E2FD} - (no file)
    O2 - BHO: (no name) - {47AEE64C-5AEA-4ED8-103A-64D56785E44D} - (no file)
    O2 - BHO: (no name) - {47F1A18E-4D68-80F1-6BBB-16B984AC80ED} - (no file)
    O2 - BHO: (no name) - {49131BF8-B481-A120-9036-48F6347DFAFF} - (no file)
    O2 - BHO: (no name) - {4CAD1D59-4787-6BFE-F9AD-29CCF1EAB9DB} - (no file)
    O2 - BHO: (no name) - {52A8264D-86BD-7D86-FC72-2B24B0624D50} - (no file)
    O2 - BHO: (no name) - {5516BFA5-EE96-EDEC-25BE-662B5516C656} - (no file)
    O2 - BHO: (no name) - {557B24FE-EC36-4055-E50D-992D8DEFF9A7} - (no file)
    O2 - BHO: (no name) - {55A1824A-46C9-FB34-DF74-C122BEDC7F1F} - (no file)
    O2 - BHO: (no name) - {59658A25-7B74-EDCF-F455-A75FF0E4C8BE} - (no file)
    O2 - BHO: (no name) - {5AE85150-CC38-B626-9067-463150E44F68} - (no file)
    O2 - BHO: (no name) - {5F101202-11AE-81D3-D484-0354226D02AE} - (no file)
    O2 - BHO: (no name) - {5FF0D81A-2868-9B2D-7596-9078825C8E9F} - (no file)
    O2 - BHO: (no name) - {63ED29DA-0AA4-8484-8768-CA30115061DE} - (no file)
    O2 - BHO: (no name) - {66BE36B4-FD1C-B850-4827-ECA932D53C44} - (no file)
    O2 - BHO: (no name) - {680063F8-9C08-F513-E8BC-9CAA02FD0EFB} - (no file)
    O2 - BHO: (no name) - {6852B58E-D52B-C38B-9B29-8D1BFBEB32E0} - (no file)
    O2 - BHO: (no name) - {6CF47B51-7061-F4AB-C521-9ABDA8D3EB85} - (no file)
    O2 - BHO: (no name) - {6E145A17-7143-A789-035E-9656AA2D5338} - (no file)
    O2 - BHO: (no name) - {72A9B624-8C5D-2A66-F77F-2A9004EE69D5} - (no file)
    O2 - BHO: (no name) - {72D547E6-2CB4-00E7-AE5A-F764C963AC20} - (no file)
    O2 - BHO: (no name) - {73A137E3-16AA-E19B-E2FC-BA6992E4EC3A} - (no file)
    O2 - BHO: (no name) - {75E70B31-4E2B-4CAC-01CF-66A22B2AADFA} - (no file)
    O2 - BHO: (no name) - {7621039D-911B-1A3D-343B-0F72B58EF21C} - (no file)
    O2 - BHO: (no name) - {78D4C8D4-B5A0-4883-C6D7-F97D04BE0876} - (no file)
    O2 - BHO: (no name) - {7ACBE2D5-4846-C94A-4098-7B48F7AD2845} - (no file)
    O2 - BHO: (no name) - {7B4A1389-49FB-707C-A673-D7AF81767AD4} - (no file)
    O2 - BHO: (no name) - {7B91F7AF-BCF6-ADE3-72D6-6522B90707AA} - (no file)
    O2 - BHO: (no name) - {7C3F5115-13B8-F3E5-3A5F-4F6BD2411BED} - (no file)
    O2 - BHO: (no name) - {7D6BFD31-52A5-44A7-6A16-E14766D2A648} - (no file)
    O2 - BHO: (no name) - {7E66ED98-8800-EB82-57FD-D8488261A8F1} - (no file)
    O2 - BHO: (no name) - {8044BFB2-40EC-C70A-C711-736B0EE1248F} - (no file)
    O2 - BHO: (no name) - {80A686BC-5BA5-E5AC-6039-C44B4E0E4D4E} - (no file)
    O2 - BHO: (no name) - {80F949A5-D3FD-5957-AEE9-25B6BCB9CE57} - (no file)
    O2 - BHO: (no name) - {81C4026E-2E5E-88DC-7B26-44B223181EC2} - (no file)
    O2 - BHO: (no name) - {81C8B002-E341-A0E2-D75A-49D627E588C6} - (no file)
    O2 - BHO: (no name) - {8211EE7E-4833-3C69-7310-EE10B33933C3} - (no file)
    O2 - BHO: (no name) - {8499E75E-1EBB-BCDC-0322-32C871231766} - (no file)
    O2 - BHO: (no name) - {89AD1952-81D3-510D-278A-AD565369AC73} - (no file)
    O2 - BHO: (no name) - {92093452-29D6-C992-7CF2-E45692D46C2B} - (no file)
    O2 - BHO: (no name) - {93085E2C-F796-FBA5-FA72-61E7A897B4A4} - (no file)
    O2 - BHO: (no name) - {94B08B34-C38D-5BA7-55AC-D47C6A68C5E3} - (no file)
    O2 - BHO: (no name) - {96238F7D-6165-13E6-0307-788481765169} - (no file)
    O2 - BHO: (no name) - {96F3C2D7-B4E5-1EEB-30E7-FF9AA0CD064E} - (no file)
    O2 - BHO: (no name) - {977A72CC-2C3D-1ED8-AC44-BB18BD9FD478} - (no file)
    O2 - BHO: (no name) - {9A7083BD-566F-B299-344C-47ABCAB6F765} - (no file)
    O2 - BHO: (no name) - {9A8B99A7-1546-27CF-9FA1-CDE07BAAF512} - (no file)
    O2 - BHO: (no name) - {9ACA1819-E278-D81D-4318-5EBA73955C06} - (no file)
    O2 - BHO: (no name) - {9E10CB8A-457E-4B30-7567-53BB935E405C} - (no file)
    O2 - BHO: (no name) - {A006325B-CDDD-9214-0C39-240125681B78} - (no file)
    O2 - BHO: (no name) - {A21EB7C4-13E9-BD64-FCEC-35F1D630907B} - (no file)
    O2 - BHO: (no name) - {A2570630-ECF2-BF6A-C8EA-509D56913F46} - (no file)
    O2 - BHO: (no name) - {A52C7D9D-ECE6-E7DB-4A98-9F196536545A} - (no file)
    O2 - BHO: (no name) - {A53B81A4-121C-9B12-66C9-1682EDD91082} - (no file)
    O2 - BHO: (no name) - {A6A72853-4880-292D-E38B-ED53B83902B8} - (no file)
    O2 - BHO: (no name) - {AAEAF0EF-4CCD-6801-830D-30AC3AB7C39B} - (no file)
    O2 - BHO: (no name) - {AE33961D-B5C6-86A4-3C72-DBA3BBD317B9} - (no file)
    O2 - BHO: (no name) - {AF847AFA-7C36-11C8-DB41-199055BB86B2} - (no file)
    O2 - BHO: (no name) - {B1EBC237-3650-5E5C-6534-F15F6F9B3DC7} - (no file)
    O2 - BHO: (no name) - {B1F77A96-5E35-5709-3B9E-002879409256} - (no file)
    O2 - BHO: (no name) - {B280B70B-64B0-0B30-6A07-D1CBCF4A5E67} - (no file)
    O2 - BHO: (no name) - {B4A7D9ED-89B3-E958-4A80-16026C986728} - (no file)
    O2 - BHO: (no name) - {B58B9B1C-55D9-1746-5D04-4AD3FEBB33BE} - (no file)
    O2 - BHO: (no name) - {B9D8F539-A482-80D6-A177-1BFD24DCE7E1} - (no file)
    O2 - BHO: (no name) - {BAECFF6A-2CC0-095A-0883-1BA36541C515} - (no file)
    O2 - BHO: (no name) - {BEF0FEBD-F78A-41EC-772B-449A98822845} - (no file)
    O2 - BHO: (no name) - {C1788B98-5234-5C51-33A4-D4E4597F4E13} - (no file)
    O2 - BHO: (no name) - {C6CC3C8F-278A-F9FE-34FA-2D452EE42825} - (no file)
    O2 - BHO: (no name) - {C9927A71-926F-63DD-BAF8-F1DFAA3A18E5} - (no file)
    O2 - BHO: (no name) - {CDE15148-1931-763A-4302-5413232D3E7F} - (no file)
    O2 - BHO: (no name) - {CE2A9DCD-CC21-E736-906F-ADD61A166985} - (no file)
    O2 - BHO: (no name) - {CF295B84-1F3D-A13C-944E-90632373707E} - (no file)
    O2 - BHO: (no name) - {CFDEB6BB-4980-2884-B033-3D35E75B60FA} - (no file)
    O2 - BHO: (no name) - {D0092D6F-9A27-013B-CDD5-2A7FC6907D07} - (no file)
    O2 - BHO: (no name) - {D0FBF74D-9290-E0B6-3227-C3AA0121D284} - (no file)
    O2 - BHO: (no name) - {D15B880A-A0B5-77A6-C441-CC0784878A9A} - (no file)
    O2 - BHO: (no name) - {D1A1BD55-7743-8294-8D26-9D9D77FF49D8} - (no file)
    O2 - BHO: (no name) - {D317FD4A-8BEC-5C0E-90F8-92A748A8F4B6} - (no file)
    O2 - BHO: (no name) - {D54F6CB9-5429-9A95-7B59-D291228E70B8} - (no file)
    O2 - BHO: (no name) - {D83BDA67-495F-DD27-4634-7E43FDC68512} - (no file)
    O2 - BHO: (no name) - {D84A8F90-EC0E-9625-B9C0-E5ABA6848F53} - (no file)
    O2 - BHO: (no name) - {DB29A986-131A-F212-4C89-18F9E42C205A} - (no file)
    O2 - BHO: (no name) - {DF68EA3F-353B-2006-149E-B74E2F05DCBC} - (no file)
    O2 - BHO: (no name) - {E6785457-E898-DCC4-A0FE-CF492E741DF7} - (no file)
    O2 - BHO: (no name) - {E75E8B80-0901-AC5A-6453-3114563FF460} - (no file)
    O2 - BHO: (no name) - {E8672AC7-8611-4002-4486-F4856A5C2E37} - (no file)
    O2 - BHO: (no name) - {E9125959-C0B8-678A-E0B8-139867622A9B} - (no file)
    O2 - BHO: (no name) - {EB89FF78-6995-6005-FCF8-77C3B8169E72} - (no file)
    O2 - BHO: (no name) - {EDA6D516-33B7-258C-7426-9D5699E6B02B} - (no file)
    O2 - BHO: (no name) - {EE35146E-A15F-DDF3-38CA-8A25A2412353} - (no file)
    O2 - BHO: (no name) - {EE37178B-E57C-4045-A483-E895595C72A5} - (no file)
    O2 - BHO: (no name) - {F22ABCC8-DA46-6EFF-B0D2-2B1D0647AB7A} - (no file)
    O2 - BHO: (no name) - {F573A15E-4E08-2CE8-1F75-3F0D794E2E42} - (no file)
    O2 - BHO: (no name) - {F699347E-F69C-BC1B-8D16-4CC14C18FA74} - (no file)
    O2 - BHO: (no name) - {F74E38A1-4326-11A0-788D-D4B7F18E0B7E} - (no file)
    O2 - BHO: (no name) - {F78C8767-D7AA-B6F9-7220-5FF80088C727} - (no file)
    O2 - BHO: (no name) - {F9DB070D-5394-0723-F5DA-646C713E9FE2} - (no file)
    O2 - BHO: (no name) - {FD00640A-25C5-1166-CC13-F7669822B594} - (no file)
    O2 - BHO: (no name) - {FDD2AC6A-B7E4-6D04-F3CF-9A9B7D9CE11A} - (no file)
    O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
     
    chaslang, Feb 28, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After finishing what is in my previous message, verify for yourself that all those lines have been fixed by checking a new log.

    Then reboot your PC. Run SpySweeper, check for updates again and then run a full system scan again and save the log file again. Attach it to your next message along with a new HJT log that was obtained after the SpySweeper scan.
     
    chaslang, Feb 28, 2006
    #13
  14. dlogic

    dlogic Private E-2

    Okay...

    I have shut down EVERYTHING before doing the scan and deleting the 02 BHO entries. And they keepcoming back on subsequent scans. :confused:

    1. There are no browser windows open
    2. there are no windows explorer windows open
    3. Spy Sweeper is Shut down
    4. Microsoft Anti Spyware is shut down
    5. AVG is shut down
    6. Every program that would normally be running in the sytem tray is shut down
    7. There no other programs running at all except for HJT
    8. I select every single 02 BHO file (132 to be exact) and click "FIX"
    Then upon rescanning... they all reappear. :confused:

    Can I toss the CPU out the window now?? LOL :D
     
    dlogic, Feb 28, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Then either some application is still blocking the removal (could be malware too) or the registry keys are not being removed because you do not have ownership of the registry key path and cannot remove them. Let's figure out why.

    First please run the below tools:

    CWShredder - make sure you select fix


    about:Buster ......No installation required! Just unzip it to a folder. Click Update and download any updates before scanning. Follow the directions for using it on the download page. Save the about:buster log and attach it when you return. If you receive an error message about a missing MSCOMCTL.OCX file when you run about:Buster, download the file in the link below and run it. It will give you the necessary file. There is also a help file that come with about:Buster that explains some common errors and how to fix.

    http://www.javacoolsoftware.net/downloads/missingfilesetup.exe

    Now please finish what I requested in message # 13
    Also attach the about:buster log. If the lines still appear, please download and install the below tool and just let me know what you have it installed and ready to go.

    Registrar Lite
     
    chaslang, Feb 28, 2006
    #15
  16. dlogic

    dlogic Private E-2

    Attached are the logs requested...

    1. a new hijack this log
    2. the about:Buster log

    The Spysweeper log is too big to upload - even after zipping.

    The lines do still appear so I downloaded Register Lite and its ready to run.
     

    Attached Files:

    dlogic, Mar 1, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You were supposed to run About:Buster twice. Run it the second time and attach a new log.

    Split the SpySweeper log in half if you have too. Why is it so big? What type of message is appearing the is making it so large? There must be a particular line that appears a lot.
     
    chaslang, Mar 1, 2006
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds