u6f6uftuc_.exe Wont show up!

Unknown · April 2005

C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe

While at work NAV did a scan and found some adaware. I got to deleting all of them except for this one. I went to the directory and it wasnt there So i tried putting the whole thing in "C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe " to see if it would give me a cannot be found page, but it didnt it gave me that download option thing.

I enabled show hidden files and it still didnt show

SpywareShooter · April 2005

Please download HijackThis and post a log.

aznherb36 · April 2005

Logfile of HijackThis v1.99.1
Scan saved at 5:47:06 PM, on 4/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM+\AIM+.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Ventrilo\Ventrilo.exe
D:\Program Files\Shareaza\Shareaza.exe
C:\Documents and Settings\Alvin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113493173359
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · April 2005

There's no malware showing in your log, but that doesn't mean it's not there.

Download mwav.exe from MicroWorld, then:

- Double-click the mwav.exe icon to run it (it'll self extract).
- When it opens, check the following:
---- Memory
---- Registry
---- Startup Folders
---- System Folders
---- Services
---- Drive
---- All local drives
---- Scan all files

- Then click on SCAN

When it completes, post back the results (copy and paste) from the 'Virus log information' pane.

aznherb36 · April 2005

File C:\PROGRA~1\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File System Found infected by "BearShare Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BearShare Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BearShare Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "bearshare Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\System32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.c. No Action Taken.
File C:\DOCUME~1\Alvin\LOCALS~1\TEMPOR~1\Content.IE5\81ANKTU3\0006_regular[1].cab infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Alvin\LOCALS~1\TEMPOR~1\Content.IE5\81ANKTU3\a775a8[1].js infected by "Trojan-Downloader.JS.WinAD.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Alvin\LOCALS~1\TEMPOR~1\Content.IE5\81ANKTU3\istsvc[1].exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Alvin\LOCALS~1\TEMPOR~1\Content.IE5\KDQBKXMN\bridge-c9[1].cab infected by "not-a-virus:AdWare.WinAD.ak" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\AIM Versions (ALL)\AIM 2.0.731a.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\AIM Versions (ALL)\AIM 2.1.1187.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\AIM Versions (ALL)\AIM 3.0.1464.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\AIM Versions (ALL)\AIM 4.4.2286.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\hixscriptv22.exe tagged as not-a-virus:RiskWare.mIRC.6.03. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\hl1110.exe tagged as not-a-virus:RiskWare.Proxy.Hltv. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\msnpolygamy-universalpatch(www.mess.be).zip tagged as not-a-virus:Tool.Win32.TPE.a. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\Winamp.Pro.v5.06.Incl.Keygen-NGEN.zip infected by "Trojan-Dropper.Win32.Delf.fd" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\81ANKTU3\0006_regular[1].cab infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\81ANKTU3\a775a8[1].js infected by "Trojan-Downloader.JS.WinAD.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\81ANKTU3\istsvc[1].exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Alvin\Local Settings\Temporary Internet Files\Content.IE5\KDQBKXMN\bridge-c9[1].cab infected by "not-a-virus:AdWare.WinAD.ak" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Alvin\My Documents\My Received Files\twin-pipe.zip tagged as not-a-virus:Tool.Win32.Moo. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Program Files\MSN Messenger\msn_messenger_polygamy_5.exe tagged as not-a-virus:Tool.Win32.TPE.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\08FB63B2 infected by "Trojan-Downloader.Win32.IstBar.ir" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\14F172DC infected by "Trojan-Downloader.JS.IstBar.k" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4A166B3D infected by "Trojan-Downloader.Win32.IstBar.ij" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4E0E6CDF infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4E1440D8 infected by "not-a-virus:AdWare.SaveNow.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4E186AD4 infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\648878CC infected by "not-a-virus:AdWare.Whenu.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\66490CDA infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6BA94AC7 infected by "Trojan-Spy.Win32.SpyAnyTime.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006890.exe infected by "not-a-virus:AdWare.SaveNow.bc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006891.exe infected by "not-a-virus:AdWare.SaveNow.bc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006892.exe infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006905.exe infected by "Trojan-Downloader.Win32.IstBar.ij" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006906.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006907.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006912.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006913.exe infected by "not-a-virus:AdWare.Wintol.aa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006917.exe infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006920.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006921.dll infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006923.exe tagged as not-a-virus:RiskWare.Tool.Exporun. No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006924.exe infected by "not-a-virus:AdWare.WebSearch.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP109\A0006926.exe infected by "Trojan-Downloader.Win32.Wintool.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\A0006932.exe infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\A0006933.dll infected by "not-a-virus:AdWare.WebSearch.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\A0006934.exe infected by "not-a-virus:AdWare.WebSearch.ad" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\A0006935.dll infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\A0006936.exe infected by "not-a-virus:AdWare.Wintol.aa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\A0006937.dll infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\snapshot\MFEX-1.DAT infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\snapshot\MFEX-13.DAT infected by "not-a-virus:AdWare.WebSearch.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\snapshot\MFEX-18.DAT infected by "not-a-virus:AdWare.WebSearch.ad" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\snapshot\MFEX-19.DAT infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\snapshot\MFEX-21.DAT infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\snapshot\MFEX-27.DAT infected by "not-a-virus:AdWare.Wintol.aa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP110\snapshot\MFEX-28.DAT infected by "not-a-virus:AdWare.Wintol.y" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP112\A0008116.exe infected by "not-a-virus:AdWare.SaveNow.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP119\A0009668.exe infected by "Trojan-Spy.Win32.SpyAnyTime.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP119\A0009669.exe infected by "not-a-virus:AdWare.SaveNow.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP119\A0009788.exe infected by "not-a-virus:AdWare.SaveNow.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP119\A0009799.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{239455DC-70C3-472E-B808-60F7996190C3}\RP73\A0002303.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.c. No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Isnt that alot to look through???

Buckeye_Sam · May 2005

That's not too bad. Now let's clean it up.

Please download and install Cleanup 4.0
http://cleanup.stevengould.org/

Download KillBox and unzip it to your desktop.
http://www.downloads.subratam.org/KillBox.zip

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Reboot your computer into Safe Mode

Delete this file.

C:\WINDOWS\_MSRSTRT.EXE

Run the CleanUp program that you downloaded and intalled.

Open Killbox and select the Delete on reboot option.

Copy and paste the following file to the field labeled "Full path of file to delete"

C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Reboot your computer.

Now since you have malware in your system restore backups we need to flush that out and create a new restore point once you are clean.

Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a
restore point" and click the Next button.

Type a description for your new restore point. Something like "After
cleanup". Click Create and you're done.

Reboot once more and then post a new hijackthis log and let me know how things are running.

aznherb36 · May 2005

MMM no. Seems like I got infected again before doing this.

and now after doing those steps I cant get the Windows XP style, its on classic. I have styles XP installed and i can use those themes as well. but Iwant th xp theme. When did what you said about remaking the system restore it didnt ask me to put in name and stuff, it just led me to the same place i turned it off.

Logfile of HijackThis v1.99.1
Scan saved at 1:03:59 AM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Documents and Settings\Alvin\Desktop\Odd ****\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113493173359
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

You have to turn System Restore back on before you can set a new restore point.

Download this reg file to your desktop.
http://www.kellys-korner-xp.com/regs_edits/classicdisable.reg

Double click classicdisable.reg and OK the prompt. Reboot and let me know if it worked.

aznherb36 · May 2005

no, it didnt work. I got the restore point

U know how I have all those theme i guess int he theme folder. Well say I under righ click desktop>Properties>Theme and I select one of the many, then I select Windows XP. And when I select windows XP it will be the last theme I selected to look at, NOT apply. I dont know if that may help

aznherb36 · May 2005

I FIXED IT! I just took the luna.theme and luna folder from my other pc and put it on here!

Here is my new log. The spyware built up again from the ones i didnt get rid of.

C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alvin\Desktop\Odd ****\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113493173359
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Your log is clean. What spyware building up again are you referring to?

aznherb36 · May 2005

when I search a random thing thats like sdgagfds.com it goes to different sites everytime. I also get some pop ups when i search as well this is on firefox

Buckeye_Sam · May 2005

Well let's take a closer look. I'm not sure if that's malware, but we'll see.

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot your computer into Safe Mode

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

aznherb36 · May 2005

C:\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............

C:\WINDOWS\system32\xvid.ax: UPX!
C:\WINDOWS\system32\xvid.dll: UPX!
C:\WINDOWS\system32\divxdec.ax: FSg!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............

Files Found in all users windows Folder............

C:\WINDOWS\daemon.dll: UPX!
Finished
bye

hmm doesnt show anything except for the C:\WINDOWS\system32\dfrg.msc: not sur what that is.

Buckeye_Sam · May 2005

Let's try another tool.

Download mwav.exe from MicroWorld, then:

- Double-click the mwav.exe icon to run it (it'll self extract).
- When it opens, check the following:
---- Memory
---- Registry
---- Startup Folders
---- System Folders
---- Services
---- Drive
---- All local drives
---- Scan all files

- Then click on SCAN

When it completes, post back the results (copy and paste) from the 'Virus log information' pane.

aznherb36 · May 2005

File System Found infected by "IBIS Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "IBIS Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BearShare Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BearShare Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BearShare Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "bearshare Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.c. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\AIM Versions (ALL)\AIM 2.0.731a.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\AIM Versions (ALL)\AIM 2.1.1187.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\AIM Versions (ALL)\AIM 3.0.1464.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\AIM Versions (ALL)\AIM 4.4.2286.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\hixscriptv22.exe tagged as not-a-virus:RiskWare.mIRC.6.03. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\hl1110.exe tagged as not-a-virus:RiskWare.Proxy.Hltv. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\msnpolygamy-universalpatch(www.mess.be).zip tagged as not-a-virus:Tool.Win32.TPE.a. No Action Taken.
File C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\Winamp.Pro.v5.06.Incl.Keygen-NGEN.zip infected by "Trojan-Dropper.Win32.Delf.fd" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Alvin\My Documents\My Received Files\twin-pipe.zip tagged as not-a-virus:Tool.Win32.Moo. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Program Files\MSN Messenger\msn_messenger_polygamy_5.exe tagged as not-a-virus:Tool.Win32.TPE.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\08FB63B2 infected by "Trojan-Downloader.Win32.IstBar.ir" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\14F172DC infected by "Trojan-Downloader.JS.IstBar.k" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4A166B3D infected by "Trojan-Downloader.Win32.IstBar.ij" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4E0E6CDF infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4E1440D8 infected by "not-a-virus:AdWare.SaveNow.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4E186AD4 infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\648878CC infected by "not-a-virus:AdWare.Whenu.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\66490CDA infected by "not-a-virus:AdWare.WebSearch.af" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6BA94AC7 infected by "Trojan-Spy.Win32.SpyAnyTime.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.c. No Action Taken.

Buckeye_Sam · May 2005

Delete these files.

C:\WINDOWS\System32\KILLAPPS.EXE
C:\Documents and Settings\Alvin\Desktop\Odd ****\Prog\Winamp.Pro.v5.06.Incl.Keygen-NGEN.zip

Please follow these instructions to run Adware.

Download, install, update, configure, and run Ad-Aware SE Personal 1.05.
1. Download Ad-Aware SE Personal 1.05:
  - Download Ad-Aware SE Personal 1.05.
  - Save aawsepersonal.exe to a convenient location.
2. Install Ad-Aware SE Personal 1.05:
  - Double-click on aawsepersonal.exe to install the program.
  - Follow the default settings for installation.
  - After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
3. Update Ad-Aware SE Personal 1.05:
  - Double-click the Ad-Aware SE Personal icon on your desktop.
  - Click "Check for updates now" then click "Connect".
  - It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
4. Configure Ad-Aware SE Personal 1.05:
  - Click on the Gear button at the top of the window.
  - Click "General" on the left hand side to display the General Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Automatically save logfile"
      - "Automatically quarantine objects prior to removal"
      - "Safe Mode (always request confirmation)"
      - "Prompt to update outdated definitions" - change to 7 days from the default 14.
  - Click "Scanning" on the left hand side to display the Scan Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Scan within archives"
      - "Select drives & folders to scan" - select your hard drive(s).
      - "Scan active processes"
      - "Scan registry"
      - "Deep-scan registry"
      - "Scan my IE favorites for banned URLs"
      - "Scan my Hosts file"
  - Click "Advanced" on the left hand side to display the Advanced Settings box.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Move deleted files to Recycle Bin"
      - "Include additional object information"
      - "Include negligible objects information"
      - "Include environment information"
  - Click "Defaults" on the left hand side to display the Default Settings box.
    - Make sure these items have your preferred settings in them.:
      - "Default homepage"
      - "Default searchpage"
  - Click "Tweak" on the left hand side to display the Tweak Settings box.
    - Click the + (plus) sign next to the Log Files section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Include basic Ad-Aware settings in log file"
      - "Include additional Ad-Aware settings in log file"
      - "Include reference summary in log file"
      - "Include alternate data stream details in log file"
    - Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Unload recognized processes & modules during scan"
      - "Scan registry for all users instead of current user only"
      - "Obtain command line of scanned processes"
    - Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
    - Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
      - "Always try to unload modules before deletion"
      - "During removal, unload Explorer and IE if necessary"
      - "Let Windows remove files in use at next reboot"
      - "Delete quarantined objects after restoring"
  - Once you are done with these settings, click "Proceed" to save them.
  - This will take you back to the main screen.
5. Run Ad-Aware SE Personal 1.05:
  - Click the "Start" button.
  - Uncheck the "Search for negligible risk entries" entry.
  - Choose the "Use custom scanning options" scan mode.
  - Click the "Next" button.
  - Ad-Aware will begin to scan for malware residing on your computer.
  - Allow the scan to finish.
  - Right-click on any entry in the list and click "Select All" to select the whole list.
  - Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

Next, scan with Spybot Search and Destroy:

1. Download the latest version of Spybot from either:
* http://www.safer-networking.org/en/download/index.html
* http://www.spybot.info/en/mirrors/index.html
2. Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
3. Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
4. The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
5. Click on "Search for Updates".
6. If any updates are found, place a check mark next to each and click on "Download Updates".
7. Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
8. Click on "Search & Destroy" => "Check for Problems".
9. If any problems are found, be sure to click on "Fix Selected Problems."

Download and run Microsoft's Antispyware application.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Remove everything that it finds.

Let me know what each of these programs finds in it's scan.

aznherb36 · May 2005

Ok
The lavasoft didnt find anything. Then I did spybot. found coolWWWsearch. Then in microsoft anti-spyware i found WhenU.SaveNow

Buckeye_Sam · May 2005

Are you still having problems? Post the log from the Spybot scan so I can see what registry entries it found.

aznherb36 · May 2005

I think it worked. It doesnt go to randome sites when i just type a random address.

Thanks alot for your help Buckeye

Buckeye_Sam · May 2005

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

u6f6uftuc_.exe Wont show up!

Comments