Am I clean? [Archive] - Icrontic Forums

View Full Version : Am I clean?

ArcticBanana

21 May 2007, 6:09am

Hi guys,
I scanned my system with Ewido, ad-aware SE, Spybot search and destroy, and AVG 7.5.
Every single scan I found things and were able to remove them easily, except one thing. When I scanned with Ewido these were the results:

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:37:49 AM 5/5/2007

+ Scan result:

C:\WINDOWS\SYSTEM32\sklrr7ynsydjp.exe -> Backdoor.HacDef.fv : Error during cleaning.
C:\WINDOWS\SYSTEM32\cjnr4r4ouzf.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\cjnr4r4qvlrxe.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\cjnr4r4rwcszels.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\cjnr4r4wlbhnszg.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\dior4f4imsjpv.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\dior4f4mrxdipv.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\dior4f4uzfvbhnub.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\dior4f4uzpwbiyg.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\mlsdf8hejpuahntai.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\mlsdf8hgkqhmt.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\mlsdf8hhmsioua.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\nlkfev7chmcip.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\nlkfev7nsydkpvd.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\sklrr7ybflbhnuai.exe -> Backdoor.HacDef.fw : Error during cleaning.
C:\WINDOWS\SYSTEM32\sklrr7yqvbg.exe -> Backdoor.HacDef.fw : Error during cleaning.
:mozilla.123:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Fortunecity : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Fortunecity : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Fortunecity : Cleaned with backup (quarantined).
:mozilla.126:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Fortunecity : Cleaned with backup (quarantined).
:mozilla.343:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Real : Cleaned with backup (quarantined).
:mozilla.344:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Realmedia : Cleaned with backup (quarantined).
:mozilla.345:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Realmedia : Cleaned with backup (quarantined).
:mozilla.346:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Realmedia : Cleaned with backup (quarantined).
:mozilla.347:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Realmedia : Cleaned with backup (quarantined).
:mozilla.348:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Realmedia : Cleaned with backup (quarantined).
:mozilla.349:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Realmedia : Cleaned with backup (quarantined).
:mozilla.359:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Revsci : Cleaned with backup (quarantined).
:mozilla.360:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Revsci : Cleaned with backup (quarantined).
:mozilla.361:C:\Documents and Settings\Mom and Dad\Application Data\Mozilla\Firefox\Profiles\u3lkh54h.antoine\cookies.txt -> TrackingCookie.Revsci : Cleaned with backup (quarantined).

---------------------------------------------------------

It seems I wasn't able to delete the Backdoor.HacDef.fw. malware.

so I googled Backdoor.HacDef.fw and found a program called prevx1 that said it could delete Backdoor.HacDef.fw. and scanned my system again.

It also found a bunch of spyware but it didn't seem to find the Backdoor.HacDef.fw. malware so i'm not quite sure if i'm clean or not. I also accidently deleted the prevx1 log.:sad2:

and to make matters worst, while in the middle of writing this thread, Mcafee pops up and says I have w32/Generic.worm!p2p virus.

----------------------------------------------------

Ok, I finally go hjt working. Heres the log:

------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:53:27 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.656\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://de.ign.com/event.ng/Type%3dclick%26FlightID%3d27735%26AdID%3d31173%26TargetID%3d2383%26Targets%3d1949,2420,2300,4597,1938,2383,4960,3420,3445,4598,4576%26Values%3d25,31,43,51,60,72,83,90,100,110,150,155,213,221,235,293,421,653,703,986,1188,1405,1481,1547,1573,1589,1820,2204,2208,2682,2778,3166,3167,4056%26RawValues%3d%26Redirect%3dhttp://tbs.com/stories/story/0,,78416,00.html
F2 - REG:system.ini: UserInit=userinit.exe,ovkgcpx.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c8/v15.591/qboax9.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c8/v16.607/qboax10.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - https://accounting.quickbooks.com/c1/v13.097/qboax8.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\dior4f4jyejqhnu.exe (file missing)
O23 - Service: ATI Task Scheduler (TKATI) - Unknown owner - (no file)
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)
----------------------------------
thank you in advanced. : )

Baabiouz

21 May 2007, 1:17pm

Hi!

#1
Ewido and AVG Anti-Spyware are the same program.
AVG is new version of Ewido, so remove Ewido via Add/Remove Programs.

#2
Make a new folder to C:\ and move Hijackthis.exe there.
Like this: C:\HjT\Hijackthis.exe

#3

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible.
Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

F2 - REG:system.ini: UserInit=userinit.exe,ovkgcpx.exe
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\dior4f4jyejqhnu.exe (file missing)

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

#4

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

#4

Reboot your computer into Safe Mode (http://www.bleepingcomputer.com/forums/tutorial61.html) by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

#5

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

#6

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Windows\System32\ovkgcpx.exe
(this file can be C:\Windows\ too, so try to find there also.

C:\WINDOWS\system32\dior4f4jyejqhnu.exe

#7

Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

#8

When you are finished, please reboot the computer normally, and post a new HijackThis log and Sdfix log here in a reply. Also, please let me know of any problems you may have encountered.

ArcticBanana

22 May 2007, 6:10am

Ok, I did all the things you said below and my computer is working like new! Thank you so much. Here is the Hjt log and the SDfix log:

Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:07:59 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://de.ign.com/event.ng/Type%3dclick%26FlightID%3d27735%26AdID%3d31173%26TargetID%3d2383%26Targets%3d1949,2420,2300,4597,1938,2383,4960,3420,3445,4598,4576%26Values%3d25,31,43,51,60,72,83,90,100,110,150,155,213,221,235,293,421,653,703,986,1188,1405,1481,1547,1573,1589,1820,2204,2208,2682,2778,3166,3167,4056%26RawValues%3d%26Redirect%3dhttp://tbs.com/stories/story/0,,78416,00.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.2.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Adobe Reader Synchronizer.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c8/v15.591/qboax9.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c8/v16.607/qboax10.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - https://accounting.quickbooks.com/c1/v13.097/qboax8.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

---------------------------------------------
///////////////////////////////////////////////////////
----------------------------------------------
Here is the SDfix log:

SDFix: Version 1.84

Run by Admin - Mon 05/21/2007 - 21:37:37.06

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
TIME

ImagePath:
C:\WINDOWS\system32\dior4f4jyejqhnu.exe

TIME - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

Checking For Files with Hidden Attributes:

C:\DELL\PRIMOSDK.DLL
C:\DELL\PX.DLL
C:\DELL\PXDRV.DLL
C:\DELL\PXMAS.DLL
C:\DELL\PXWAVE.DLL
C:\DELL\VXBLOCK.DLL
C:\DELL\MEDIAEXE\PRIMOSDK.DLL
C:\DELL\MEDIAEXE\PX.DLL
C:\DELL\MEDIAEXE\PXDRV.DLL
C:\DELL\MEDIAEXE\PXMAS.DLL
C:\DELL\MEDIAEXE\PXWAVE.DLL
C:\DELL\MEDIAEXE\VXBLOCK.DLL
C:\WINDOWS\SYSTEM32\SWCTL.DLL
C:\DELL\PXCPYA64.EXE
C:\DELL\PXCPYI64.EXE
C:\DELL\PXHPINST.EXE
C:\DELL\PXINSA64.EXE
C:\DELL\PXINSI64.EXE
C:\DELL\PXSETUP.EXE
C:\DELL\MEDIAEXE\PXCPYA64.EXE
C:\DELL\MEDIAEXE\PXCPYI64.EXE
C:\DELL\MEDIAEXE\PXHPINST.EXE
C:\DELL\MEDIAEXE\PXINSA64.EXE
C:\DELL\MEDIAEXE\PXINSI64.EXE
C:\DELL\MEDIAEXE\PXSETUP.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DELL\PXHELP20.SYS
C:\DELL\PXHELP64.SYS
C:\DELL\PXHELPER.SYS
C:\DELL\PXHLPA64.SYS
C:\DELL\MEDIAEXE\PXHELP20.SYS
C:\DELL\MEDIAEXE\PXHELP64.SYS
C:\DELL\MEDIAEXE\PXHELPER.SYS
C:\DELL\MEDIAEXE\PXHLPA64.SYS
C:\Documents and Settings\Antoine and Vee\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\Antoine and Vee\Application Data\Microsoft\Word\~WRL2187.tmp
C:\Documents and Settings\Antoine and Vee\Application Data\Microsoft\Word\~WRL2221.tmp
C:\Documents and Settings\Antoine and Vee\Application Data\Microsoft\Word\~WRL3626.tmp
C:\Documents and Settings\Mom and Dad\Local Settings\Temp\qpgishs23dl5.tmp
C:\Documents and Settings\Mom and Dad\My Documents\~WRL0003.tmp
C:\Documents and Settings\Mom and Dad\My Documents\~WRL0005.tmp
C:\Documents and Settings\Mom and Dad\My Documents\~WRL2149.tmp

Finished

---------------------------------------------
////////////////////////////////////////////
:::::::::::::::::::::::::::::::::::::::::::::::
------------------------------------------

Thank you so much for your help. This, along with the " it may not be malware thread" have extremely helped my old computer and made it work like new, no exaggeration.

Baabiouz

22 May 2007, 1:47pm

Hi!

\o/ Glad to hear that your comp works like a new! :)

Let's check is there still some "orks". :)

Please do the following...

1. Download ATF (Atribune Temp File) Cleaner� by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

Launch AVG Anti-Spyware

On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.