Virus? / Truckload 'O' Malware!

Re: Virus?

hey everyone,

first i would like to thank all the members on this site for providing such a great service to everyone.


I was searching for a fix on the cxtpls virus and that is how i found this site. well im pretty sure i got rid of that file/program, but i need to know if there is anything else in my hijackthis log that i should delete? thanks
i attached both log files, one is before the removal of cxtpls and the 2nd is after. Thanks

payne

 

Re: Virus?

i just noticed that im not suppose to post my log file unless im requested to. i hope this did not cause a great inconvenience..

-payne

 

Hi Payne,

I gave you your own thread.

I am sorry to say that cxtpls was the least of your problems! You have a lot of other issues as well.

Here's the standard speech. . . .

Generally, it is a good idea to start with the Cleanup Tutorial HERE:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

Best luck
PP

 

does anyone have any info on how to fix the virus W32.Netsky.C@mm ? without buying norton?


thanks

payne

 

Payne-
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html

 

phew!!!!!!!!!!!!!! ( Big sigh of relief )

I just finished all the programs in the tutorial and i now want to post the latest update of my hijack this log.... can you guys please tell me what to delete... thanks

i spent about a total 12 hours going through the tutorial at least....

 

Still got a mess of stuff to remove. Give me an hour to run through it - eating dinner & typing don't mix well - and I'll post some cleanup steps for you.

PP

 

Hi Payne,

Let’s see if we can get some of this crap of of your machine!

Please look in Add or Remove Programs for the following and Uninstall them if found:

PC Shield
ViewPoint / Viewpoint Manager
eSyndicate
WildTangent


Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END the ones you find, if possible:

aQL.exe
RXn8TD.exe
ViewMgr.exe
xj.exe
RXn8TD.exe
e4Z1FAF.exe
5.exe
S9G0IIjy.exe
srsb2res.exe
snmmmgr.exe


Now scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com

O1 - Hosts: comments (such as these) may be inserted on individual

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_4fee.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jonathan\Local Settings\Temp\PQcn.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [aQL.exe] C:\documents and settings\jonathan\local settings\temp\aQL.exe
O4 - HKLM\..\Run: [RXn8TD.exe] C:\documents and settings\jonathan\local settings\temp\RXn8TD.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [xj.exe] C:\documents and settings\jonathan\local settings\temp\xj.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_4fee.dll"
O4 - HKLM\..\Run: [RXn8TD] C:\documents and settings\jonathan\local settings\temp\RXn8TD.exe
O4 - HKLM\..\Run: [xj] C:\documents and settings\jonathan\local settings\temp\xj.exe
O4 - HKLM\..\Run: [aQL] C:\documents and settings\jonathan\local settings\temp\aQL.exe
O4 - HKLM\..\Run: [e4Z1FAF.exe] C:\windows\e4Z1FAF.exe
O4 - HKLM\..\Run: [5.exe] C:\windows\5.exe
O4 - HKLM\..\Run: [S9G0IIjy.exe] C:\windows\S9G0IIjy.exe
O4 - HKLM\..\Run: [e4Z1FAF] C:\windows\e4Z1FAF.exe
O4 - HKLM\..\Run: [5] C:\windows\5.exe
O4 - HKLM\..\Run: [S9G0IIjy] C:\windows\S9G0IIjy.exe
O4 - HKLM\..\Run: [4Fok33j] srsb2res.exe
O4 - HKCU\..\Run: [Lo7qRTH8i] snmmmgr.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_4fee.dll"

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: iSearch Toolbar - {1AE2F26C-8E23-4930-A68D-9E681A764001} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: iSearch Toolbar - {1AE2F26C-8E23-4930-A68D-9E681A764001} - C:\WINDOWS\System32\shdocvw.dll

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/install/00010/initial.cab
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\documents and settings\jonathan\local settings\temp\aQL.exe
C:\documents and settings\jonathan\local settings\temp\RXn8TD.exe
C:\Program Files\Viewpoint ---> The Folder
C:\documents and settings\jonathan\local settings\temp\xj.exe
C:\windows\e4Z1FAF.exe
C:\windows\5.exe
C:\windows\S9G0IIjy.exe
C:\WINDOWS\System32\srsb2res.exe
C:\Program Files\WildTangent ---> The Folder
C:\WINDOWS\System32\snmmmgr.exe
C:\WINDOWS\System32\sfg_4fee.dll
C:\Program Files\eSyndicate ---> The Folder
C:\Documents and Settings\Jonathan\Local Settings\Temp\PQcn.dll

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

NEXT:
Reboot to Normal Windows and reset your web settings.
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com OR www.phillies.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

NOW:
Scan with HijackThis and attach that log.

Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

philliphan... I would first like to thank you greatly for all the suporrt in which you have aided me in cleaning my big mess. Your non-profit services are very much appreciated by myself and im sure many others that visit this forum.


okay now down to business. I followed everyone of your steps precisely with no problems. Im glad to see that i wont be getting those annoying esyndicate ads anymore...

there is only one thing i have a question about. With the ccleaner, it doesnt seem to do anything when i click on the .exe file. is that how it is designed to run? thanks


-payne

 

You're welcome

Your HJT log looks OK.

For CCleaner, you need to install it - put it in Program Files. Then, you ought to be able to open it and it should be self-explanatory. Just don't "scan for issues" without backing up the registry first. You should really do only the default scan.

For future reference, have a peek here: How to Protect yourself from malware!

PP