Help request with spyware, virus please - Page 3

Question

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 1 · 2009-03-20T16:30:04+00:00

Looks like there is still one left :(.

Double click on OTMoveIt3 to run it.

Please copy and paste the text in the Code box below, into OTMoveIt3;

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128}]
:files
d:\WINDOWS\system32\arwehdx.dll
:commands
[EmptyTemp]
[Reboot]

Check the box "Unregister Dll's and OCX's ... if not checked.
Click on MoveIt!
The end results of the processing will be in 2 places:
- The Results window on the right side of the OTMoveIt screen.
- A log (text) file created in "C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log"
Copy all the text from the Results window...
Click Exit (3) when done.
Please paste the results from the OTMoveIt window or the log file, in your next reply.

====

Post a new hijackthis log too please.

algismorales 0 Light Poster · Answer 2 · 2009-03-21T00:55:20+00:00

Hi Crunchie,

Here is the new log that was created by OTMoveIt, followed by the HiJackThis log:

========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128}\\ .
========== FILES ==========
LoadLibrary failed for d:\WINDOWS\system32\arwehdx.dll
d:\WINDOWS\system32\arwehdx.dll NOT unregistered.
File move failed. d:\WINDOWS\system32\arwehdx.dll scheduled to be moved on reboot.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. D:\WINDOWS\temp\Perflib_Perfdata_7e0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Error: Unable to interpret <[Reboot]:reg> in the current context!
Error: Unable to interpret <[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ade9f68-2b65-4f0d-9b33-e070d1b5e128}]> in the current context!
========== FILES ==========
LoadLibrary failed for d:\WINDOWS\system32\arwehdx.dll
d:\WINDOWS\system32\arwehdx.dll NOT unregistered.
File move failed. d:\WINDOWS\system32\arwehdx.dll scheduled to be moved on reboot.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. D:\WINDOWS\temp\Perflib_Perfdata_7e0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03202009_133922

Files moved on Reboot...
LoadLibrary failed for d:\WINDOWS\system32\arwehdx.dll
d:\WINDOWS\system32\arwehdx.dll NOT unregistered.
File move failed. d:\WINDOWS\system32\arwehdx.dll scheduled to be moved on reboot.
File move failed. D:\WINDOWS\temp\Perflib_Perfdata_7e0.dat scheduled to be moved on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:46 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 5621 bytes

Thank you Crunchie

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2009-03-21T01:33:51+00:00

That is one stubborn file.

Download Unlocker from http://ccollomb.free.fr/unlocker/ and run it as advertised to remove that file. Reboot when done and post up a new hijackthis log.

algismorales 0 Light Poster · Answer 4 · 2009-03-24T01:03:44+00:00

Hi Crunchie,
Sorry I've been gone out of town for a a few days.

Okay, I downloaded Unlocker as your above post, went to my D drive and looked up WINDOWS/system32/arwehdx.dll, right clicked, and unlocked it. I chose the option to delete, and then rebooted.

Here is the HiJackThis log after reboot:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:20 PM, on 3/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\NavNT\defwatch.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\NavNT\rtvscan.exe
D:\Program Files\NavNT\vptray.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\MsgSys.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Algis\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0ADE9F68-2B65-4F0D-9B33-E070D1B5E128} - d:\windows\system32\arwehdx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Ink Monitor] D:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106511023205
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/pi1_20.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe

--
End of file - 5621 bytes

Thank you Crunchie

Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 5 · 2009-03-24T14:39:18+00:00

Do you have another pc you can hook that HD up to? You may have to delete it like that. None of the tools that would normally remove stubborn files are working :(.

algismorales 0 Light Poster · Answer 6 · 2009-03-25T03:21:20+00:00

Hi Crunchie,
I don't know what you mean about "hooking up the HD to", but yes, I do have another computer here with me; my laptop. How would I do this?

Thank you for your help.

Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2009-03-25T04:48:05+00:00

crunchie 990 Most Valuable Poster

15 Years Ago

Do you have access to a desktop pc? It will be a lot easier.

algismorales 0 Light Poster · Answer 8 · 2009-03-25T06:09:35+00:00

Not at the moment. Would I need to have another desktop "physically" next to this one (the one we're trying to get rid of the virus)? I'll see what I can do.
What does the next step entail?

Thank you Crunchie

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2009-03-25T06:39:37+00:00

If you remove the hard drive and then plug (connect) it into another pc, you will be able to delete the file in question with no problem.
I would also run MBA-M on that pc and have it scan your infected drive.

algismorales 0 Light Poster · Answer 10 · 2009-03-27T13:29:10+00:00

Hi Crunchie, hi JHolland,
I'm trying as best as I can to borrow a friend's pc to bring home and do the procedure to remove that last virus you've been helping me with. I'm located in Colombia, South America right now and actually home on vacation. I'm headed to the US in the next week or so, but I'm trying to leave this home computer in tip top shape for my family, so I'll do my best to borrow that second pc and get on with ridding ourselves of that last slimy virus.
I can't thank you enough Crunchie and Jholland for all the help and patience you've been so generously and unselfishly giving me. Thank you, thank you, thank you!
I will get back in touch in the next few days with that other pc in tow.

Gratefully,
Algis

algismorales 0 Light Poster · Answer 11 · 2009-04-10T02:50:30+00:00

Hi Crunchie, hi jholland,
I wasn't able to get someone to lend me their pc to do this last procedure you requested, and unfortunately I'm travelling for the next 3 months. However, I will try to get my brother to see if he can get another pc to help us run the next procedure, or I'll try again when I get back in July. By then, I guess we'll have to run more scans to make sure no other nasties have gotten into the computer while I'm gone.
However, I really, really want to thank you Crunchie and Judy for helping me out so much to clean my computer and get it back working. I don't know what I would have done without your help. Thank you for your kindness and for being so patient.
You two are wonderful.

With my best wishes,
Algis

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 12 · 2009-04-10T08:01:19+00:00

crunchie 990 Most Valuable Poster

15 Years Ago

No worries and happy travelling :)