Please help.....

I kept having AVG6.0 pull up a virus (downloader.intexp, wxvuuo.exe) Ran trendmicro online as suggested by someone and now it found 6 virus'. Now I can't boot up. It makes it to the Welcome screen and re-boots to that point and continues to recycle to re-booting.

 

does your machine properly boot while it is in safe mode?
what operating system are you using and if it is windowsXP have you updated to atleast SP1 with all the post SP1 hotfixes?

 

Yes it booted up in safe mode, and yes I am running XP pro with sp1 installed. As for the other you asked, I am not sure how to tell.

 

hmm..
boot to safe mode and disable all startup items in msconfig. It could be a driver failing..
once you've done that, reboot and see if you can get in normally.

 

Ok, it did start up with all disabled. Thank you Kodo. Now what should I do?

 

run our tutorial.

READ ME FIRST: Basic Spyware, Trojan And Virus Removal

 

Ok did the whole READ ME FIRST thing you suggested. Still have pop-ups when opening web pages like google, yahoo, or my homepage that has no pop-ups. Trend found no virus', Symantec found 13. AVG didnt find any. Cant tell if I have any left. Ran HiJackThis but dont know what exactly to look for.

 

Hi Bruce,

Go ahead and send us a HijackThis Log. We'll see if it has anything to tell us

Note that your HijackThis should be up-to-date (v1.98.2) and extracted to its own safe folder - C:\Program Files\HijackThis

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Best,
PP

 

HJT file attached as asked

Ok here is the HJT file. Also added the list of Symantecs find when i did the scan

 

Re: HJT file attached as asked

I think the last hjt i added had a window open i didn't catch, here is the latest scan with everything closed...Sorry for the any inconvience and after i ran hjt i did AVG and it found 6 more virus' and i noticed in the processes window I had wxvuuo.exe running again. Virus' found were downloader.agent.as, downloader.stubb, downloader.dyfica. Not the first time today I had these show up.

 

Hi Bruce,

*** I missed your last post while I was typing this out. Work through this for now and we'll see what remains. I wondered why I didn't find a few things that I expected to see in your log. ***

You have some really nasty crap in your log, so I will be a bit indiscriminate with what we trash. Also, I am not finding some things in your log that I would expect to see - Perhaps some of your earlier cleaning steps removed them.

Your IE is a bit out of date and should not be running when you scan with HJT!

BEFORE YOU START--> Please put HijackThis in its own SAFE Folder - C:\Program Files\HijackThis - You MUST do this first!!

Please print out these instructions so that you can operate with ALL browser windows CLOSED.

Make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the Tutorial.

NOW:
Use Task Manager to END the Running Processes for the following:
conscorr.exe
wupdt.exe
wxvuuo.exe

NEXT:
NOW, Run HijackThis and Check the Boxes for the Following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insaneclownposse.com/low.php?wp_id=NEWS

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insaneclownposse.com/low.php?wp_id=NEWS

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.insaneclownposse.com/low.php?wp_id=NEWS

R3 - Default URLSearchHook is missing

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [rinkjs] C:\WINDOWS\System32\wxvuuo.exe

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - (no file)

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)

O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {8FEED82A-42A6-4117-A803-7EC3EB9339E0} (ClientControl Class) - http://66.159.247.56:81/plugin/client.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx

O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://66.159.247.56:81/plugin/h263ctrl.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

Again, make sure ALL browser windows are CLOSED when you click FIX.

NEXT:
Boot into SAFE MODE and DELETE the following (if found):

C:\WINDOWS\conscorr.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\wxvuuo.exe
C:\WINDOWS\SYSTEM32\taskmgn.exe

NOW:
Reboot to Normal Windows and attach a fresh HJT log. Tell us how things are working and if you ran into any problems with the above instructions.
I suspect that we may have to take another run through your next log to flush away some remnants. I'll try to check back when I can, but I'm going to be extremely busy the next few days. Hopefully Kodo will weigh back in as well!

Best Luck
PP

 

Ok did everything you said I should do, I have attached my log file. I really appreciate all the help you and Kodo have given me...This site rocks and will be recommended to others, Thanks again...Hope it is all fixed, if I need to do more I will be keeping my eye on this to see your reply..

 

Hi Bruce,

Your log looks much better. You really shut down those running processes this time! How are things running?

There are a couple of 016 items and the Party Poker stuff that we left that you could still get rid of if you feel the need. I can't help but wonder what rides along with Party Poker when you put it on your computer But, I left it alone along with a couple other items that looked like things you put there willingly.

Anyhoo, your log looks good. Kodo will probably be along to doublecheck it. Be sure to let us know if you encounter further problems.

You should probably visit Windows Updates and get updated. Also take a look at Chaslang's recommendations HERE: How to protect yourself from malware!

Best
PP

 

everything seems fine. I did run AVG6.0 and it found and had me move to virus vault the following: Downloader.agent.as, said it was in (c:\recycled\dc2.exe) I am re-running AVG now while i am on the other PC to see if it is gone. Again, Thanks for all the Help!

 

log looks clean .