Options

AIM BEACH PICS virus....please help me with the next step!

Unknown
edited March 2005 in Spyware & Virus Removal
i already installed and ran the LSPFix and removed the cdlsp.dll instance and then i rean the 2 virus detection programs as you recommended. however, i still have this aim beach pics virus.


this is my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:50 PM, on 3/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetr45\services.exe
C:\WINDOWS\system32\pd7.exe
C:\windows\system32\sebzgn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Bgisvyu\Wlqwb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\BITDEFENDERX.EXE
C:\windows\system32\calc.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\98 WINDOWS USER\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-daily.com/10025/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://about:blank[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=C:\WINDOWS\inetr45\services.exe
O1 - Hosts: 69.50.164.77 google.com www.google.com
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetr45\2.00.00.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\psbasic.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetr45\services.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - HKLM\..\Run: [BitDefender Antivirus] BITDEFENDERX.EXE
O4 - HKLM\..\Run: [sebzgn] c:\windows\system32\sebzgn.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [printer] C:\WINDOWS\helpsys.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\98WIND~1\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Mdcpa] C:\Program Files\Bgisvyu\Wlqwb.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetr45\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [BitDefender Antivirus] BITDEFENDERX.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {B90E56E0-BB2C-4D5F-A3CA-725510DC198C} - C:\WINDOWS\System32\ole2487p.dll (file missing) (HKCU)
O16 - DPF: {0110E299-5171-2725-4AAF-201B001FE95A} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {12309EAB-7B06-0EAA-615F-3F5911DB0238} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {176099E4-F269-3C66-541C-5033475B4F44} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {26D42FD3-7A96-3DAB-66DF-0BFF1B4CB9C7} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {26E32D55-12E8-3066-D226-70894D7726C8} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {29FE07D3-952B-4621-DAD1-098E7D76F49D} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {2D80CA05-97F4-328D-22C8-026C61B573CA} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {33263623-711F-6DF1-2812-370F22BBF72B} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {33E36DDF-AA10-1316-A085-01F2358BD006} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {38855E44-66D6-7AFF-11CC-5DBF502EB759} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {38E40EB7-0239-0C7B-DAD0-576B10FD183D} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {410F475E-33EF-1DCE-6BDB-713E7D5720F6} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {47000617-EFAB-100C-CDFB-7F5000F16612} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {5BB9C810-27A2-6A69-833D-59A3576C3255} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {66D02EFD-2553-4AF4-61F0-78000DB921EF} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {72F22ADF-2654-2EAF-CF31-7DD8422EC09C} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {72FC5EFB-566F-7335-C7DF-68ED2FE69780} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {7579AA7F-ACDD-7776-5AC1-04EF0959B9CB} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {79EB8B3A-7841-47D7-7EE0-5D48152B03C9} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O19 - User stylesheet: (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ipwh.exe (file missing)

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Please download CWShredder but don't run it yet.
    http://cwshredder.net/bin/CWSInstall.exe


    Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

    Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


    Make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-daily.com/10025/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://about:blank[/url]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F3 - REG:win.ini: run=C:\WINDOWS\inetr45\services.exe
    O1 - Hosts: 69.50.164.77 google.com www.google.com
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
    O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetr45\2.00.00.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetr45\services.exe
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
    O4 - HKLM\..\Run: [BitDefender Antivirus] BITDEFENDERX.EXE
    O4 - HKLM\..\Run: [sebzgn] c:\windows\system32\sebzgn.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [printer] C:\WINDOWS\helpsys.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\98WIND~1\LOCALS~1\Temp\cxtpls_loader.e xe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
    O4 - HKLM\..\Run: [Mdcpa] C:\Program Files\Bgisvyu\Wlqwb.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetr45\services.exe
    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
    O4 - HKCU\..\RunOnce: [BitDefender Antivirus] BITDEFENDERX.EXE
    O9 - Extra button: (no name) - {B90E56E0-BB2C-4D5F-A3CA-725510DC198C} - C:\WINDOWS\System32\ole2487p.dll (file missing) (HKCU)
    O16 - DPF: {0110E299-5171-2725-4AAF-201B001FE95A} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {12309EAB-7B06-0EAA-615F-3F5911DB0238} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {176099E4-F269-3C66-541C-5033475B4F44} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {26D42FD3-7A96-3DAB-66DF-0BFF1B4CB9C7} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {26E32D55-12E8-3066-D226-70894D7726C8} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {29FE07D3-952B-4621-DAD1-098E7D76F49D} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {2D80CA05-97F4-328D-22C8-026C61B573CA} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {33263623-711F-6DF1-2812-370F22BBF72B} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {33E36DDF-AA10-1316-A085-01F2358BD006} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {38855E44-66D6-7AFF-11CC-5DBF502EB759} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {38E40EB7-0239-0C7B-DAD0-576B10FD183D} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {410F475E-33EF-1DCE-6BDB-713E7D5720F6} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {47000617-EFAB-100C-CDFB-7F5000F16612} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {5BB9C810-27A2-6A69-833D-59A3576C3255} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {66D02EFD-2553-4AF4-61F0-78000DB921EF} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {72F22ADF-2654-2EAF-CF31-7DD8422EC09C} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {72FC5EFB-566F-7335-C7DF-68ED2FE69780} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {7579AA7F-ACDD-7776-5AC1-04EF0959B9CB} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {79EB8B3A-7841-47D7-7EE0-5D48152B03C9} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
    O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
    O19 - User stylesheet: (file missing)
    O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ipwh.exe (file missing)


    Reboot your computer into Safe Mode


    Now run CWShredder, making sure to click "Fix".


    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\WINDOWS\system32\ipwh.exe
    C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\systb.dll
    C:\WINDOWS\cerbmod.dll
    C:\WINDOWS\inetr45
    C:\WINDOWS\system32\pd7.exe
    C:\WINDOWS\system32\BITDEFENDERX.EXE
    c:\windows\system32\sebzgn.exe
    C:\WINDOWS\wupdt.exe
    C:\WINDOWS\farmmext.exe
    C:\WINDOWS\helpsys.exe
    c:\windows\\tasks\sa.dat
    C:\Program Files\Internet Optimizer
    C:\Program Files\Bgisvyu


    Delete temp files

    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the Recycle Bin.


    Run a full scan with Adaware.

    Reboot your computer to go back to normal mode and post a new log.
Sign In or Register to comment.