954,184 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
8 Years Ago
0

internet explorer / virus problem here

everytime I write the word virus ie close itself the only way I can look into google virus search is in safe mode.

so I cant install any anti-virus...
I haven't found the problem yet
I used the last version of ad-aware with the updates
I also used the last version of spybot search and destroy with the updates

so my big problem is that ie close by itself on a few pages like every page that could help me to get rid of the virus / *ware and my ctrl + alt + delete doesn't do anything either. I'm on windows xp and I read a thread that says something about hijack so I did a scan here it is.

Logfile of HijackThis v1.97.7
Scan saved at 05:11:47, on 2004-04-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Sanosuke Sagara\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SysInit] wininit32.exe -services
O4 - HKLM\..\Run: [cdupodgr] C:\WINDOWS\cdupodgr.exe
O4 - HKLM\..\RunServices: [SysInit] wininit32.exe -services
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SysInit] wininit32.exe -drivers
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37989.8697337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

lets hope you can help me ( this is a scan in safemode also everything work there but I cant perform a scan in normal mode )

jeff

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

You have the Xabot virus.

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [SysInit] wininit32.exe -services
O4 - HKLM\..\Run: [cdupodgr] C:\WINDOWS\cdupodgr.exe
O4 - HKLM\..\RunServices: [SysInit] wininit32.exe -services
O4 - HKCU\..\Run: [SysInit] wininit32.exe -drivers
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\cdupodgr.exe

Reboot into safe mode following the instructions here & navigate to & delete

C:\WINDOWS\cdupodgr.exe< this one

Boot into normal.
P2P networking should be uninstalled.
Go here for an on-line scan & set it to autoclean for you.

Get back with the results plz.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
8 Years Ago
0

Thanks mate now I can surf into pages it doesn't seems like im having a problem.

I got a problem on boot about asctres.cpy.dll... I'll boot again and paste the problem in here if you dont mind.

this is my new scan with HJT...

Logfile of HijackThis v1.97.7
Scan saved at 13:32:22, on 2004-04-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wcpsvit.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\SPY-FIX\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37989.8697337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

also when I scan with lavasoft ad-aware they told me that asctres.cpy.dll is a problem too but they can't remove it now that they will do it on the next boot but if they remove the file I get a rundll error...

any idea what could this be?

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

click on this link and this web site would scan your Pc for any viru, it pretty good,

http://housecall.trendmicro.com/

condorcanqui
Junior Poster in Training
51 posts since Nov 2003
Reputation Points: 10
Solved Threads: 6
 
8 Years Ago
0

you missed this one .
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe>>>> bad

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
8 Years Ago
0

Logfile of HijackThis v1.97.7
Scan saved at 01:35:21, on 2004-05-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wcpsvit.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\eXtreme\mirc32.exe
C:\Program Files\Winamp\winamp.exe
D:\IRCD\bircd.exe
D:\eXtreme\mirc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\SPY-FIX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37989.8697337963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab

This is my new one I still have some internet pages that pop tell me what to remove please

elfnet

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

Moving to the new Security forum, as this is spyware-related. :)

DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
 
8 Years Ago
0

alright for the moving but that doesn't help me.

elfnet

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0
alright for the moving but that doesn't help me.

Perhaps not, but itdoes help us keep all of these spyware/adware/malware posts in one place.
Also- patience is key here, and please remember that we do this on a volunteer basis.

caperjack and crunchie are very helpful and knowledgeable in this area; if the answers they've given you haven't solved your problems yet, don't worry- they'll be back to help soon. :)

DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
 
8 Years Ago
0

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe

Now reboot into safe mode and delete the following files and folders .

C:\WINDOWS\System32\wcpsvit.exe>> delete file if found

to delete the above files and folder you will need to do the following
go to Show hidden files & folders
"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
8 Years Ago
0

Can you download the following app & run it, making sure to have one internet exploder window open. Save the log & paste the results back here.
VX2Finder

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
8 Years Ago
0

Files Found---
C:\WINDOWS\System32\aqlui.dll
C:\WINDOWS\System32\asaamon.dll


Guardian Key---
Asynchronous 000
DllName C:\WINDOWS\system32\aqlui.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 123
ID {8539157C-3407-41F9-A686-1B84A0407626}
IDex N1

User Agent String---
{8539157C-3407-41F9-A686-1B84A0407626}



That's what I get from the VX2Finder

elfnet

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

Download Killbox from http://download.broadbandmedic.com/VbStuff/KillBox.zip
Unzip to your desktop.
Run Killbox.exe. From the menu click “Fix L2M then click “Kill VX2.BetterInternet"

Restart your system

Next, type javascript:navigator.userAgent or just copy and paste it in your IE Address bar then hit enter.

Post the complete result again. (That is, VX2finder log + the IE results)

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
8 Years Ago
0

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {8539157C-3407-41F9-A686-1B84A0407626})


this is after what you told me to do

thanks for the help by the way

Ps: Do I have to do something next?

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6go4svc.dll
C:\WINDOWS\System32\abd.dll
C:\WINDOWS\System32\afmparse.dll
C:\WINDOWS\System32\agd.dll
C:\WINDOWS\System32\aolui.dll
C:\WINDOWS\System32\aqlui.dll
C:\WINDOWS\System32\asaamon.dll
C:\WINDOWS\System32\Ay3API.DLL


Guardian Key---

User Agent String---
{8539157C-3407-41F9-A686-1B84A0407626}

This is the log after m reboot of VX2 Finder it seems worst!

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6go4svc.dll
C:\WINDOWS\System32\abd.dll
C:\WINDOWS\System32\afmparse.dll
C:\WINDOWS\System32\agd.dll
C:\WINDOWS\System32\aolui.dll
C:\WINDOWS\System32\aqlui.dll
C:\WINDOWS\System32\asaamon.dll
C:\WINDOWS\System32\Ay3API.DLL


Guardian Key---

User Agent String---
{8539157C-3407-41F9-A686-1B84A0407626}

AFter the javascript:navigator.userAgent thingy and the killbox process I run VX2 finder again and it seems worst.

elfnet

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6go4svc.dll
C:\WINDOWS\System32\abd.dll
C:\WINDOWS\System32\afmparse.dll
C:\WINDOWS\System32\agd.dll
C:\WINDOWS\System32\aolui.dll
C:\WINDOWS\System32\aqlui.dll
C:\WINDOWS\System32\asaamon.dll
C:\WINDOWS\System32\Ay3API.DLL


Guardian Key---

User Agent String---
{8539157C-3407-41F9-A686-1B84A0407626}

This is the log after m reboot of VX2 Finder it seems worst!




Run Killbox.exe. From the menu click “Fix L2M then click “Kill VX2.BetterInternet"

Restart your system

Run Killbox.exe again.
From the menu click “Fix L2M then click “Import L2M.reg.
Click OK when you asked to “Import Registry Script?
Then from the menu again, click “Find. Click “User Agent String.
Select the entry {8539157C-3407-41F9-A686-1B84A0407626} then click “Action.
Click “Delete User Agent String. Close Killbox.

Reboot.

Run VX2 finder once more & the IE Javascript search. Post the Log for VX2.Finder and result of javascript:navigator.userAgent.

Also include a fresh hijackthis log plz.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
8 Years Ago
0

The option "Import L2M.reg" is not enable or so cause I can't click on it :/

elfnet

elfnet
Newbie Poster
15 posts since Apr 2004
Reputation Points: 10
Solved Threads: 0
 
8 Years Ago
0

Try this instead. Download the VX2 fix here.
You must run it three times in a row to completely remove the files registry keys.

Then post another VX2 log plz.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed