Friends HJT

[Osiris]

thats not to bad but still need to be removed

Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

%DESKTOPDIRECTORY%\tagasaurus.exe
%profile%\local settings\temp\tagasuarus97.exe
%SYSTEM%\setup95.exe
%SYSTEM%\tagasuarus5.exe
%windows%\cczoop05.exe
%windows%\checks02.exe
%windows%\gege15x.exe
%windows%\ms04157692-871.exe
%windows%\ms0555667134732006.exe
%windows%\ms067692-87115.exe
%windows%\pf78.exe
%windows%\pms111x.exe
%windows%\sms112x.exe
%windows%\sys10-8711576922006.exe
%windows%\sysc00.exe
%windows%\tagasuarus2.exe
%windows%\uni_eh.exe
%windows%\uni_ehhh.exe
%windows%\unin101.exe
%windows%\win32067692-87115.exe
%windows%\win320766713473552006.exe
c:\tagasuarus7.exe
c:\visfx500.exe
gogo15x.exe
ms065667134735.exe
pf78bb.exe
tagasaurus.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say NO to the prompt to restart the pc.
Still in Killbox go tools > delete temp files then exit


Then have him run all the programs again and tell me what the report is

 

[Osiris]

add this to pocket killbox also just to be safe


c:\winnt\system32\xcbhjc.exe
C:\WINNT\system32\dmonwv.dll
C:\WINNT\system32\ejbhakw.dll
c:\winnt\downloaded program files\OSD149F.OSD
c:\winnt\downloaded program files\UWA6P_0001_N822M1605NetInstaller.exe
c:\winnt\kwv2.dat
C:\Downloads\GoldMinerSetup-dm[1].exe
C:\WINNT\SYSTEM32\daqku.dat
C:\WINNT\SYSTEM32\geedc.exe
C:\WINNT\SYSTEM32\RICTUB.dll
C:\WINNT\Downloaded Program Files\DeskAdX.dll
C:\WINNT\Downloaded Program Files\installer_MARKETING48x.exe[installer_MARKETING48.exe]
C:\WINNT\Downloaded Program Files\miniclipGameLoader.dll
C:\WINNT\thiselt.exe
C:\WINNT\unwn.exe
C:\WINNT\uni_ehhh.exe
C:\WINNT\unin101.exe
C:\WINNT\YOINSI.exe
C:\WINNT\idlemg.exe
C:\WINNT\sys021268872132006.exe
C:\WINNT\pf78.exe
C:\WINNT\Tagasuarus2.exe
C:\WINNT\NDNuninstall7_22.exe

 

[Ksingler]

"add this to pocket killbox also just to be safe"

Whats that mean? Do you mean search for those too? lol, Hes doing the searches for each of those files from your other last spot atm

EDIT: Oh i see the part that you said about killbox, i must have missed that.

 

[Osiris]

I edited the post so he dont have to search for them unless he wants too. You can have him just copy all those in killbox

 

[Ksingler]

Ok, he did everything with killbox, unfortuately he had to go to his gparent's house for all of tomorrow(saturday) but sunday i'll have him do all the scans again and i'll let you know how everything worked out. He says thanks for all the help

 

[Osiris]

ok, make sure he posts another log since it will be a few days

 

[Ksingler]

My friend has finally gotten home, said hes still having problems(pop-ups) He will be doing ewido,spybot,adaware,panda, and ccleaner scans tomorrow morning and i'll have a HJT log by noon Wednesday for you.

 

[Osiris]

Most of these popups will stop when he applies sp2. He is missing a lot of updates

 

[Ksingler]

Good Point, I'll tell him to update to sp2, log coming soon.

 

[Ksingler]

Here it is.. ewido found 60 spyware, spybot found 15, adawre found 2, but they were all healed, panda is down so he couldnt do the online virus scan.. He said he updated windows.. but he still has Sp2, so i'll tell him how to get sp2

Logfile of HijackThis v1.99.1
Scan saved at 12:44:37 PM, on 7/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\mIRC\mirc.exe
D:\Program Files\iTunes\iTunes.exe
D:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153805001046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe