Weird stuff. Please help. Thanks.

Mauro-NahoumMauro-Nahoum
edited April 2006 in Spyware & Virus Removal
Hi again, guys. Need you one more time. Would you please try and help?This is my HJT log as of this morning. All is acting weird incldingu (see?) including simple typing. Thansk for any tipping.


Logfile of HijackThis v1.99.1
Scan saved at 11:32:02, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Arquivos de programas\Winamp\Winampa.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\ScannerP\Kyescan.exe
C:\Arquivos de programas\Folding@Home\winfah.exe
C:\Arquivos de programas\Folding@Home\FahCore_7a.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Arquivos de programas\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cjub.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE /P23 "EPSON Stylus C63 Series" /O6 "USB001" /M "Stylus C63"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Arquivos de programas\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: CottnCal.lnk = C:\Arquivos de programas\Cotton\Calendar\CottnCal.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Arquivos de programas\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Refresh.lnk = C:\Arquivos de programas\Iomega\Tools\refresh.exe
O4 - Startup: Anti-BO v1.5b.lnk = C:\Arquivos de programas\Anti-BO\Anti-bo.exe
O4 - Startup: Folding@home 4.00.lnk = C:\Arquivos de programas\Folding@Home\winfah.exe
O4 - Startup: SpywareBlaster.lnk = C:\Arquivos de programas\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: KYESCAN.lnk = C:\Arquivos de programas\ScannerP\Kyescan.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\ARQUIV~1\Iomega\System32\AppServices.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe

Comments

  • Mauro-NahoumMauro-Nahoum
    edited April 2006
    Further scan via online Trend Micro HouseCall 6.5 - after the resident AVG and SpyBot returned zilch - showed this:

    ADW_SURFKICK.U :eek3:

    It also says it cannot be removed by their program, and that it should be manually removed.

    Has anyone got the steps to do so?

    Thanks for any help.
  • TroganTrogan London, UK
    edited April 2006
    Your log is clean.


    Please download the trial version of Ewido anti-malware here.
    When installing the program, under "Additonal Options" uncheck..
    • Install background guard
    • Install scan via context menu
    Once installed, update the definitions to the newest files. Do NOT run a scan yet.

    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    For additional help in booting into Safe Mode, see the following site:
    http://www.pchell.com/support/safemode.shtml

    Once in Safe Mode, please run Ewido
    (Do not use the computer while Ewido is scanning)
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido

    Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • Mauro-NahoumMauro-Nahoum
    edited April 2006
    Hi, Trogan my Guardian Angel!
    This time I think I've got rid of it solo. Before I even could come back and see your tips, I deleted some lines in HJT and that worked. No sign of infection remains now, and I used ewido as you told me and that was confirmed.
    Thanks anyway for your presence there looking after us.
    Consider this issue closed, ok?
    :cheers:
  • TroganTrogan London, UK
    edited April 2006
    Your welcome! Glad you got it sorted by yourself. :)

    I'l mark this resolved as you asked. If you need help again, start a new thread. :)

    Here are some instructions on how to stay more secure:

    Secure your Internet Explorer by going here and following the instructions there.

    Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

    Use a firewall to help prevent your PC's control being usurped by undesireables. If you don't have a Firewall, then choose ONE below
    Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. If you don't have one, choose ONE from below.
    Install and keep updated, Ad-Aware SE, and Spybot Search & Destroy.
    Run them both on a regular basis, following the manufacturer's recommendations.

    Install and keep updated, SpywareBlaster and SpywareGuard

    Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

    Clear your Temp folders.
    Go to Start > Control Panel > Internet Options.
    Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Click the Delete Cookies... button and press OK

    Also, go to Start > Find/Search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

    Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

    Clear out temp files from the following location. Change "username" to whatever you have on your computer.

    C:\Documents and Settings\username\Local Settings\Temp\

    In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

    Empty the Recycle Bin.


    It is very important that system files and folders are hidden again, so that they DO NOT get deleted by mistake.

    Windows XP
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading, make sure that the option Do not show hidden files and folders is selected.
    * Make sure there is a TICK next to the Hide protected operating system files (recommended) option.
    * Click Apply to confirm.
    * Click OK.


    For XP users.
    After something like this it is a good idea to Flush the Restore Points and start fresh.
    To flush the XP system Restore Points.

    Go to Start | Run | type msconfig | Press Enter.

    When msconfig opens, click the Launch System Restore Button.
    On the next page, click the System Restore Settings link on the left.

    Check the box labelled 'Turn off System restore'.

    Reboot! Go back in and Turn System Restore Back on. A new Restore Point will be created.

    Note that all previous restore points will be lost.

    ===============

    If you have any more problems, post back.


    Please consider joining the Folding@Home Project :)
    Join our Folding@Home team! Alzheimer's, Parkinson's, cancer... we're trying to cure them with our computers! You've at least read a little about it in the greeting I sent you when you signed up for the site. We're always really pleased to greet new members to the team, and it's a quick way to become an appreciated member of the community.
    MORE INFO: READ THIS
This discussion has been closed.