Logfile of HijackThis v1.97.7 Scan saved at 10:19:32 AM, on 2/2/2005 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) "
Auto Clean".
3. Click "
Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Download, then unzip to "
C:\HJT", the newest version of
HiJackThis;
version 1.99.0. Then repost your log, either now, or after following the steps in the solution (
if provided in this post).
This version has features that might help in 'cleaning' up your system.
Run
HiJackThis then:
1. Click "
Config..."
2. Click "
Misc Tools"
3. Click "
Open Process manager"
-
Next, while holding down the
CTRL key, locate (
if present) and click on (
highlight) each of the following:
C:\WINNT\System32\qcsaznas5.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Now, let's open a
command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u ufvxkdya.dll regsvr32 /u qmlwyexy.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Before we begin, let's move
HiJackThis to it's own folder; like
c:\HJT. When we're done '
cleaning' off your system, we're going to '
flush' the temporary folders which, with
HiJackThisin it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.
Also move the "
Backups" folder, for
HiJackThis, if present.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {C060D62C-1F69-ED90-3F2D-0F523B4EC3C9} - C:\WINNT\System32\ufvxkdya.dll O2 - BHO: (no name) - {C2EDC117-795B-CA80-45A5-90982A39BF52} - C:\WINNT\System32\qmlwyexy.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Locate and
delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Trendmicro pickup, but could not clean troj_istbar.he
I was unable to fix/delete/etc. qcsaznas5.exe
or
ufvxkdya.dll
Logfile of HijackThis v1.99.0
Scan saved at 1:28:54 PM, on 2/2/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Before we begin, let's move
HiJackThis to it's own folder; like
c:\HJT. When we're done '
cleaning' off your system, we're going to '
flush' the temporary folders which, with
HiJackThisin it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.
Also move the "
Backups" folder, for
HiJackThis, if present.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {C060D62C-1F69-ED90-3F2D-0F523B4EC3C9} - (no file) O2 - BHO: (no name) - {C2EDC117-795B-CA80-45A5-90982A39BF52} - (no file)
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Now, let's open a
command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u vhttqton.dll regsvr32 /u wntcenur.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A36FD6B2-60DA-4CD2-79C8-F422417C1952} - C:\WINDOWS\System32\vhttqton.dll O2 - BHO: (no name) - {BCE8F088-F609-FA1F-29BE-E40464691231} - C:\WINDOWS\System32\wntcenur.dll
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Post back a new log, and let me know how everything goes.
Hi... I'm having problems with Internet Explorer, when I give
click to start the program, appears me an error in IEXPLORE.exe,
and I cannot recover my system to a previous date, I hope anybody can
help me... Thanks. Kindly Carmina
excuse me, but my english is bad.
This the HiJackThis log.
Logfile of HijackThis v1.99.0
Scan saved at 9:53:53, on 12/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\bixxkgau.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\ARCHIV~1\ARCHIV~1\AOL\ACS\AOLacsd.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\WINDOWS\System32\msupd.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
1. Double-click the mwav.exe icon to run it (it'll self extract). 2. Click "Scan". 3. When it completes, post back the results from the 'Virus log information' pane.
Hi... I run HijackThis, and
appears
me this error when I give click in Fix checked
"HijackThis is about to remove a BHO and the correspondind file form your system, close all Internet Explorer Windows And all Windows Explorer windows before continuing for the best chance of success", but I do
n't have any opened window of Internet to explorer or Windows, what
can I do?
O2 - BHO: (no name) - {A36FD6B2-60DA-4CD2-79C8-F422417C1952} - (no file) O2 - BHO: (no name) - {BCE8F088-F609-FA1F-29BE-E40464691231} - (no file)
and eScan AntiVirus found:
File C:\WINDOWS\System32\drivers\ctpqhivj.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\fbsurmbw.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\gcnhgath.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\hbdongmx.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\hgpzzinm.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\unatmtxg.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\wunwnnck.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\ymhsmqso.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ynuaxtyt.dll infected by "Trojan.Win32.Golid.f" Virus. Action Taken: No Action Taken.
When we're done cleaning off your system, i'd
recommend that you install all the
critical windows updates available from
Microsoft, upto
service pack 1. This will help to make your system more secure and prevent many '
problems' from reoccuring in the future.
If you haven't ran
HouseCall lately, let's go back to
www.trendmicro.com, download the latest definitions, and run it.
Download, unzip to your desktop
CWShredder and run it, then:
1. Click "
Check For Update"
(
If an update isn't available, skip to step #4.)
2. Click "
Click here to Download the upate".
3. When the new version has been downloaded, click "
Save".
4. Click "
Fix ->"
Go to
Add/Remove programs and remove(uninstall) the following, if present:
Web Related
The above could appear anywhere within the entry. Be careful not to remove any
personal or
system software.
Download, then unzip to "
C:\HJT", the newest version of
HiJackThis;
version 1.99.1. Then repost your log, either now, or after following the steps in the solution (
if provided in this post).
This version has features that might help in 'cleaning' up your system.
Now, let's open a
command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u lbbho.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Locate and
delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINDOWS\lbbho.dll
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
That should get you started - post back a new log, and let me know how everything goes. But when you do, be sure to start a new thread, if you wouldn't mind, this one has about three different problems in it. It's not confusing to me, but very confusing to the one who first posted for help.
Midnight Star
4.8K Posts
0
January 25th, 2005 16:00
First, let's see what's running on your system that shouldn't be; post up a HiJackThis log for analysis.
Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:
1. Click " Scan"
2. Click " Save log"
Notepad will pop-up with a copy of your system long, then:
1. " Edit | Select all"
2. " Edit | Copy"
Next, let's " Reply" back to this post, then:
1. Right-click on the message body.
2. Select " Paste"
Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).
Mike.
mattdoss
2 Posts
0
February 2nd, 2005 13:00
I am having similar problems;
Logfile of HijackThis v1.97.7
Scan saved at 10:19:32 AM, on 2/2/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\qcsaznas5.exe
C:\WINNT\System32\msupd5.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.exe
C:\OfficeScan NT\PCCNTMON.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\procexp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\matthewdo\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marion/cms/searchUI.asp?GUID=11754PM
O2 - BHO: (no name) - {C060D62C-1F69-ED90-3F2D-0F523B4EC3C9} - C:\WINNT\System32\ufvxkdya.dll
O2 - BHO: (no name) - {C2EDC117-795B-CA80-45A5-90982A39BF52} - C:\WINNT\System32\qmlwyexy.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uawlsp.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uawlsp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uawlsp.local
I have run HIJACK This, adaware, and spybot to no avail. HIjack shows some mysterious "trusted zone: *.frame.crazywinnings.com" as well.
Midnight Star
4.8K Posts
0
February 2nd, 2005 14:00
Let's see what we can do...
Go to www.trendmicro.com, and then:
1. Click " Free Online Scan".
2. Click " Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Then repost your log, either now, or after following the steps in the solution ( if provided in this post). This version has features that might help in 'cleaning' up your system.
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
-
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\WINNT\System32\qcsaznas5.exe
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u ufvxkdya.dll
regsvr32 /u qmlwyexy.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done ' cleaning' off your system, we're going to ' flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.
Also move the " Backups" folder, for HiJackThis, if present.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {C060D62C-1F69-ED90-3F2D-0F523B4EC3C9} - C:\WINNT\System32\ufvxkdya.dll
O2 - BHO: (no name) - {C2EDC117-795B-CA80-45A5-90982A39BF52} - C:\WINNT\System32\qmlwyexy.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINNT\System32\qcsaznas5.exe
C:\WINNT\System32\ufvxkdya.dll
C:\WINNT\System32\qmlwyexy.dll
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Post back a new log.
-
Mike.
mattdoss
2 Posts
0
February 2nd, 2005 16:00
Scan saved at 1:28:54 PM, on 2/2/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\qcsaznas5.exe
C:\WINNT\System32\msupd5.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.exe
C:\OfficeScan NT\PCCNTMON.EXE
C:\Documents and Settings\matthewdo\Local Settings\Temp\HijackThis.exe
O2 - BHO: (no name) - {C060D62C-1F69-ED90-3F2D-0F523B4EC3C9} - (no file)
O2 - BHO: (no name) - {C2EDC117-795B-CA80-45A5-90982A39BF52} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uawlsp.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uawlsp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uawlsp.local
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Listener - Unknown - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe
Midnight Star
4.8K Posts
0
February 2nd, 2005 20:00
Run HiJackThis then:
2. Click " Misc Tools"
3. Click " Open Process manager"
C:\WINNT\System32\msupd5.exe
Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done ' cleaning' off your system, we're going to ' flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {C060D62C-1F69-ED90-3F2D-0F523B4EC3C9} - (no file)
O2 - BHO: (no name) - {C2EDC117-795B-CA80-45A5-90982A39BF52} - (no file)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
C:\WINNT\System32\msupd5.exe
Midnight Star
4.8K Posts
0
February 13th, 2005 02:00
Go to www.trendmicro.com, and then:
2. Click " Scan now, it's free".
2. Check(tick) " Auto Clean".
3. Click " Scan".
Download, unzip to your desktop CWShredder and run it, then:
( If an update isn't available, skip to step #4.)
3. When the new version has been downloaded, click " Save".
Next, Open a command prompt by:
2. Enter " cmd" ( without the quotes).
3. Enter " services.msc" ( without the quotes).
Run HiJackThis then:
2. Click " Misc Tools"
3. Click " Open Process manager"
C:\WINDOWS\System32\msupd.exe
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u wntcenur.dll
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BCE8F088-F609-FA1F-29BE-E40464691231} - C:\WINDOWS\System32\wntcenur.dll
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
C:\WINDOWS\System32\msupd.exe
C:\WINDOWS\System32\vhttqton.dll
C:\WINDOWS\System32\wntcenur.dll
Post back a new log, and let me know how everything goes.
Karmyna
3 Posts
0
February 13th, 2005 02:00
click to start the program, appears me an error in IEXPLORE.exe,
and I cannot recover my system to a previous date, I hope anybody can
help me... Thanks. Kindly Carmina
Logfile of HijackThis v1.99.0
Scan saved at 9:53:53, on 12/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\bixxkgau.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\ARCHIV~1\ARCHIV~1\AOL\ACS\AOLacsd.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\WINDOWS\System32\msupd.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enlamira.com.mx/foros
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A36FD6B2-60DA-4CD2-79C8-F422417C1952} - C:\WINDOWS\System32\vhttqton.dll
O2 - BHO: (no name) - {BCE8F088-F609-FA1F-29BE-E40464691231} - C:\WINDOWS\System32\wntcenur.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Archivos de programa\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [bixxkgau] C:\WINDOWS\System32\bixxkgau.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Archivos de programa\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Ícono de Bandeja America Online México 9.0 .lnk = C:\Archivos de programa\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &Bùsqueda - res://C:\Archivos de programa\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG2
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\ARCHIV~1\ARCHIV~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Miscrosoft Updates Service - Unknown - C:\WINDOWS\System32\msupd.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
Karmyna
3 Posts
0
February 15th, 2005 00:00
Logfile of HijackThis v1.99.0
Scan saved at 8:13:17, on 14/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\pctspk.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
C:\Archivos de programa\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\ARCHIV~1\ARCHIV~1\AOL\ACS\AOLacsd.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enlamira.com.mx/foros
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A36FD6B2-60DA-4CD2-79C8-F422417C1952} - (no file)
O2 - BHO: (no name) - {BCE8F088-F609-FA1F-29BE-E40464691231} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Archivos de programa\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Archivos de programa\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Ícono de Bandeja America Online México 9.0 .lnk = C:\Archivos de programa\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &Bùsqueda - res://C:\Archivos de programa\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\ARCHIV~1\ARCHIV~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
.....Carmina....:womanwink:
Midnight Star
4.8K Posts
0
February 15th, 2005 14:00
Carmina,
Your more than welcome! Let's see if the MWAV scan can locate those files on your system...
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {A36FD6B2-60DA-4CD2-79C8-F422417C1952} - (no file)
O2 - BHO: (no name) - {BCE8F088-F609-FA1F-29BE-E40464691231} - (no file)
Now, with all windows closed except HiJackThis, click "Fix checked".
Download mwav.exe from MicroWorld, then:
1. Double-click the mwav.exe icon to run it (it'll self extract).
2. Click "Scan".
3. When it completes, post back the results from the 'Virus log information' pane.
Mike.
Super_Guillermo
1 Message
0
February 15th, 2005 22:00
Karmyna
3 Posts
0
February 15th, 2005 23:00
O2 - BHO: (no name) - {A36FD6B2-60DA-4CD2-79C8-F422417C1952} - (no file)
O2 - BHO: (no name) - {BCE8F088-F609-FA1F-29BE-E40464691231} - (no file)
and eScan AntiVirus found:
File C:\WINDOWS\System32\drivers\ctpqhivj.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\fbsurmbw.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\gcnhgath.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\hbdongmx.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\hgpzzinm.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\unatmtxg.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\wunwnnck.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\drivers\ymhsmqso.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ynuaxtyt.dll infected by "Trojan.Win32.Golid.f" Virus. Action Taken: No Action Taken.
Thanks for your help...:smileyhappy:
Midnight Star
4.8K Posts
0
February 22nd, 2005 17:00
Carmina,
I haven't bailed out on you, just been without a phone line for almost a full week!
-
Let's start off by doing two things:
1) Let's remove these files:
C:\WINDOWS\System32\drivers\ctpqhivj.sys
C:\WINDOWS\System32\drivers\fbsurmbw.sys
C:\WINDOWS\System32\drivers\gcnhgath.sys
C:\WINDOWS\System32\drivers\hbdongmx.sys
C:\WINDOWS\System32\drivers\hgpzzinm.sys
C:\WINDOWS\System32\drivers\unatmtxg.sys
C:\WINDOWS\System32\drivers\wunwnnck.sys
C:\WINDOWS\System32\drivers\ymhsmqso.sys
C:\WINDOWS\System32\ynuaxtyt.dll
2) Since it's been awhile since I was able to be here, and if your upto it, can you post up a new log and let me see if we have anything left to fix.
-
Mike.
Midnight Star
4.8K Posts
0
February 22nd, 2005 18:00
If you haven't ran HouseCall lately, let's go back to www.trendmicro.com, download the latest definitions, and run it.
Download, unzip to your desktop CWShredder and run it, then:
( If an update isn't available, skip to step #4.)
3. When the new version has been downloaded, click " Save".
Go to Add/Remove programs and remove(uninstall) the following, if present:
Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution ( if provided in this post). This version has features that might help in 'cleaning' up your system.
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://msaps.dll/index.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = res://msaps.dll/index.html
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
That should get you started - post back a new log, and let me know how everything goes. But when you do, be sure to start a new thread, if you wouldn't mind, this one has about three different problems in it. It's not confusing to me, but very confusing to the one who first posted for help.