ABI/VX/possible others?

Question

WldBilHickok 0 Newbie Poster

19 Years Ago

trying to fix someone's computer for them.

Logfile of HijackThis v1.99.1
Scan saved at 10:15:49 PM, on 08/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\jparpq.exe
c:\windows\system32\ssxzrmh.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
E:\Fix Computers\New Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jparpq.exe reg_run
O4 - HKLM\..\Run: [wuntkqh] c:\windows\system32\ssxzrmh.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

windows-virus

2 Contributors
11 Replies
304 Views
1 Week Discussion Span
Latest Post 19 Years Ago Latest Post by dlh6213

dlh6213 27 Posting Maven

19 Years Ago

Hi Wild Bill, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below. When you get to the end of the third one (Infection removal), go to post #5 and follow the instructions there carefully.

When you've finished, please post a new HijackThis log along with the Ewido log.

dlh6213 27 Posting Maven

19 Years Ago

Remove Newdotnet either from Add/Remove Programs, or by following the instructions here:
http://www.newdotnet.com/removal.html

Also in Add/Remove Programs, remove Viewpoint (or Viewpoint Manager, ViewMgr, or something similar).

Scan with HijackThis and have it fix:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted folders:

C:\Program Files\Viewpoint
C:\program files\newdotnet

Do a search for these files and delete any instances found:

commandd.exe
conversions.ini
d2gfz.dll
diablo ii.exe
dinst.exe
grab.exe

If any of these files are found, but cannot be deleted, reboot into Safe Mode and try it from there.

Download and run CCleaner – http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html

Reboot, close any open browser windows, scan with HijackThis, and post a new log please.

dlh6213 27 Posting Maven

19 Years Ago

Please follow the instructions here to remove newdotnet -- http://www.newdotnet.com/removal.html

Delete the entire contents of the C:\Windows\Temp folder.

Delete the entire contents of the C:\Temp folder.

Do a search for *.tmp and delete all entries found.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Scan with HJT and have it fix:

O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
If the IP addresses below are not related to her ISP, have HJT fix both of these O17 entries --
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56

Close any open windows and hit Fix checked.

Reboot, close any open browser windows, scan with HJT and post a new log please.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

WldBilHickok 0 Newbie Poster · Answer 1 · 2005-08-05T08:24:07+00:00

hopefully that worked....not sure though

+ Created on:           9:50:37 PM, 08/04/2005
+ Report-Checksum:      46A5C5C9


+ Scan result:


HKU\S-1-5-21-1183646164-3809480734-195663008-1007\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E} -> Spyware.CometCursor : Cleaned with backup
[804] c:\windows\system32\hicbpgf.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.10:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.21:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.22:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.23:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.30:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.31:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.32:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.37:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.46:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@abetterinternet[2].txt[/email] -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@advertising[1].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@atdmt[2].txt[/email] -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@doubleclick[1].txt[/email] -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@linksynergy[2].txt[/email] -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@perf.overture[1].txt[/email] -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@sales.liveperson[2].txt[/email] -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@servedby.advertising[2].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica [email]a.eisenhart@z1.adserver[1].txt[/email] -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6544684F-F245-44BE-9254-A5AB10.asq -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C5102E4-D4B0-40EE-8C82-410C1F\3FCD6251-A225-43F9-8A30-8B13D0 -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C5102E4-D4B0-40EE-8C82-410C1F\7EC0BBD8-292F-41AD-805F-FDC4BF -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F435C0EB-39C7-4881-A5E1-47F4B7\5A378AB0-1E69-400F-9096-8853C4 -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\lnsjrg.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\hicbpgf.exe -> Adware.BetterInternet : Cleaned with backup



Logfile of HijackThis v1.99.1
Scan saved at 10:18:34 PM, on 08/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Fix Computers\New Stuff\HijackThis.exe
C:\WINDOWS\System32\dwwin.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

WldBilHickok 0 Newbie Poster · Answer 2 · 2005-08-06T03:52:49+00:00

I believe that got rid of the viewpoint thing, but there was no program file of newdotnet to remove. When trying to remove the 010 lsp provider line in hijackthis it said it isn't able to do it and gave a weblink which gave a 404 error, but it also recommended using spybot s&d to get rid of it if it was newdotnet. I downloaded that and did a scan. Restarted it, but it appears to still be there. Here's the new hjt log. Thanks for all of your help so far!

Logfile of HijackThis v1.99.1
Scan saved at 5:43:59 PM, on 08/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Fix Computers\New Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

WldBilHickok 0 Newbie Poster · Answer 3 · 2005-08-08T23:12:14+00:00

Ok, here's the new log..

Logfile of HijackThis v1.99.1
Scan saved at 1:10:16 PM, on 08/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Fix Computers\New Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

dlh6213 27 Posting Maven Team Colleague · Answer 4 · 2005-08-09T03:28:53+00:00

I just see one more thing to fix there; I wasn't sure before so I had to do a bit of research.

Scan with HJT and have it fix

O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k

Remember to close all windows before hitting Fix checked.

Go to C:\PROGRAM FILES and delete the Acceleration Software folder.

Empty the Recycle Bin and reboot.

According to the Ewido Log, it looks like she has, or had, the Qoologic trojan.

Please get Find_qoologic.zip (by baskar1234) from:
http://home.earthlink.net/~firestrike/antispy/findqoologic.zip

After you download it, unzip it; go to the new qoologic folder and double-click on qoologic.bat to run it. It will take a few minutes to scan the drive, so be patient. When it has finished, open My Computer, double-click on the C: drive, and copy & paste the contents of the below logs into this thread.

C:\log.txt
C:\win.txt
C:\start.txt

WldBilHickok 0 Newbie Poster · Answer 5 · 2005-08-10T04:41:06+00:00

I fixed the 04 entry with HJT, but I could not find any acceleration software on the computer. AFter I downloaded the program the only log with any information in it was the c:/log.txt . The other two logs were just completely empty (0 k in each). Here's the log:

C:\Documents and Settings\jessica a.eisenhart\Local Settings\Temp\findqoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------

That was it. Thanks again for your continued help.

dlh6213 27 Posting Maven Team Colleague · Answer 6 · 2005-08-10T12:14:24+00:00

Follow the 'Cleanup' procedures in the second link below (including CCleaner) and that should do it. Are you still having any problems?

WldBilHickok 0 Newbie Poster · Answer 7 · 2005-08-11T03:28:25+00:00

Ok, that appears to have fixed everything. Thank you greatly for all of your help. Here's the new HJT log. If there are no more nastys in there you can close this thread. Thanks again!!

Logfile of HijackThis v1.99.1
Scan saved at 5:24:36 PM, on 08/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
E:\Fix Computers\New Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

dlh6213 27 Posting Maven Team Colleague · Answer 8 · 2005-08-11T11:04:33+00:00

Ok, that appears to have fixed everything. Thank you greatly for all of your help. Here's the new HJT log. If there are no more nastys in there you can close this thread. Thanks again!!

That log looks clean to me :)

You're welcome!