I got a new toolbar installed and I can't get rid of it

Status
Not open for further replies.
L

LostInSpace

Baseband Member
Messages
24
Logfile of HijackThis v1.99.1
Scan saved at 5:00:08 PM, on 9/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Danny1\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\gtvzf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\gtvzf.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4539/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B85DE845-2DC9-41A9-85DC-34AD88219A0E}: NameServer = 69.50.161.131,85.255.112.14
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
You can't delete them from there ? The google toolbar and the Searchbar ? Can you access your registry ? Delete all Searchbar entries.
 
Hi and Welcome to TF

Please don't take the advice of the previous poster and mess with the registry as this can be removed without doing so.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure itÂ’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove SearchToolbar IF it's listed.

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\gtvzf.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\gtvzf.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B85DE845-2DC9-41A9-85DC-34AD88219A0E}: NameServer = 69.50.161.131,85.255.112.14

C:\WINDOWS\System32\gtvzf.dll <--delete that file.

Reboot back to normal windows....

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log and let me know about the toolbar.
 
Logfile of HijackThis v1.99.1
Scan saved at 6:33:36 AM, on 9/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Danny1\Desktop\wuxing scripts\HLHL.exe
C:\Program Files\Monster & Me 2.5\HL_Client.exe
C:\Documents and Settings\Danny1\Desktop\wuxing scripts\HLHL.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Danny1\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\gtvzf.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [hwiper.exe] C:\WINDOWS\System32\hwiper.exe
O4 - HKLM\..\Run: [dmxge.exe] C:\WINDOWS\System32\dmxge.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4539/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B85DE845-2DC9-41A9-85DC-34AD88219A0E}: NameServer = 69.50.161.131,85.255.112.14
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



Heres the pandascan one

Incident Status Location

Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\HWIPER.EXE
Adware:adware/adsmart No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\pi.sys
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\SskUpdater.exe
Adware:adware/wintools No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\WToolsA.exe
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
Spyware:spyware/wareout No disinfected C:\Documents and Settings\Danny1\Application Data\wo.tmp
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/twain-tech No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\THI3937.tmp
Spyware:spyware/dyfuca No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\i4.tmp
Adware:Adware/nCase No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\res59.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\SskUpdater.exe
Virus:Trj/Downloader.ESN Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\49KLY30D\xxx[1].jpg
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\Bridge-c139[1].cab
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\Bridge-c139[1].cab[AdToolsX.dll]
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CA4N2R4N.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CA61GL4K.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CA876BU7.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CA8TA9VS.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CAA1Y1CD.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CABH3RU4.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CAGC8LOB.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CAGDA7OH.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CAIFWNEB.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CAOBJRQ4.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CAX410XD.HTM
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CAXFNP44.HTM
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\CAXPRJRJ
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\lca[1].chm[Bridge-c139.cab]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\lca[1].chm[Bridge-c139.cab][AdToolsX.dll]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\lca[2].chm[Bridge-c139.cab]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\lca[2].chm[Bridge-c139.cab][AdToolsX.dll]
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\protect[2].php
Virus:Trj/Sxload.A No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\sload[1].chm[xload.exe]
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\tca[1].chm[site.ocx]
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\IP8B65MH\tca[2].chm[site.ocx]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\WTKDK7G9\CA67K34H.HTM
Virus:Trj/Dropper.HP No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\YWALRPWS\2006208748[1].chm[win.exe]
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZU87R1CH\2YZ_3LXk5Xj0kLY1GgvE[1].chm
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZU87R1CH\2YZ_3LXk5Xj0kLY1GgvE[2].chm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZU87R1CH\CAS9UB0X.HTM
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Danny1\Local Settings\Temp\WToolsB.dll
Adware:Adware/SBSoft No disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0001006.dll
Virus:Trj/Demetib.A Disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0002005.exe
Virus:Trj/Downloader.EQS Disinfected C:\WINDOWS\system32\coded1.exe
Virus:Trj/Downloader.EQS Disinfected C:\WINDOWS\system32\cstoq.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\system32\hlmicro.exe
Possible Virus. No disinfected C:\WINDOWS\system32\hwiper.exe
The toolbar doesn't show up but I can't change the settings like when i right click on the bars i can't disable/ enable bars and searchbar still shows up but with no check next to it and everything else is gray and unclickable.
 
Please DO NOT install anything including games until this infection is cleared!!


Download and install Cleanup but DO NOT run it yet!


*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows.....


Please download FixWareout from one of these sites:
http://forums.subratam.org/index.php?act=A...e=post&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O4 - HKLM\..\Run: [hwiper.exe] C:\WINDOWS\System32\hwiper.exe
O4 - HKLM\..\Run: [dmxge.exe] C:\WINDOWS\System32\dmxge.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{B85DE845-2DC9-41A9-85DC-34AD88219A0E}: NameServer = 69.50.161.131,85.255.112.14

Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Then Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletionÂ…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\system32\coded1.exe
C:\WINDOWS\system32\cstoq.exe
C:\WINDOWS\system32\hlmicro.exe
C:\WINDOWS\system32\hwiper.exe
C:\WINDOWS\System32\dmxge.exe
C:\WINDOWS\rdt.ini
C:\Documents and Settings\Danny1\Application Data\wo.tmp


Once thats complete...run Another Panda scan and save the log. Then Reboot the PC once more. Post the Panda log, hijackthis log, and the log created by the Wareout tool. It's log will be located here... C:\fixwareout\report.txt
 
Umm, when I tried to run the fixwareout thing it said the download.exe got infected with downloader.dlef.cs. Should I continue with the pandascan or do I need to get a new wareout program?
 
lol so you OVERLOAD your system with Apps....
Nice work.

My god, how many does it take.

Ever heard of regedit ?
do it manually.
You do NOT need these apps.
They do NOTHING more than you can do yourself.
 
Well, since fixwareout is the only thing that doesn't work (since it got hit with that downloader.delf.cs) what does firewareout delete? and how I get rid of that downloader?

Heres the newest panda scan

Incident Status Location

Spyware:spyware/dyfuca No disinfected Windows Registry
Adware:Adware/SBSoft No disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0001006.dll
Virus:Trj/Downloader.EQS Disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0002044.exe
Virus:Trj/Downloader.EQS Disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0002045.exe
Virus:Trj/Demetib.A Disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0003005.exe
Virus:Trj/Agent.AMR Disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0003045.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0003046.exe
Virus:Trj/Demetib.A Disinfected C:\System Volume Information\_restore{145C81F2-33D1-4FC9-875D-EC6CB29244BD}\RP1\A0003050.exe
Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 6:57:38 PM, on 9/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Danny1\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\gtvzf.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126729275515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4539/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
bradybnmci:

Please refrain from posting in these threads. Unfortunatly if he could do it himself he would have already and your assment of NOT needing these Apps is incorrect.


LostInSpace:

Let's continue...

Run hijackthis again and fix this entry...

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\gtvzf.dll (file missing)


C:\WINDOWS\System32\gtvzf.dll <--delete this file if found.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain whatÂ’s left in the system.
 
Heres the logs from the second scan

Started Scanning
Internet Cookies
Found 'questionmarket.com' in 'Internet Explorer Cache'
Found 'burstnet.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'trafficmp.com' in 'Internet Explorer Cache'
Found 'valueclick.com' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'realmedia.com' in 'Internet Explorer Cache'
Found 'fastclick.net' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories

I can move the toolbars again but am I still hit with any viruses or anything? I'm not too sure myself, but I believe I still have som viruses floating around that won't go away when I scan certain items I found stuff like download.delf.cs and backdoor.generic.mhh any idea how to totally clean these up?
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
Back
Top Bottom