Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

HJT Log: Please help! Cannot figure how to remove

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
blitzy
Newbie


Joined: 03 Apr 2005
Last Visit: 05 Apr 2005
Posts: 3
Location: USA

PostPosted: Sun Apr 03, 2005 3:51 pm    Post subject: HJT Log: Please help! Cannot figure how to remove Reply with quote

Attached is my most recent HijackThis log. I've already scanned and re-scanned my computer using SpyBot, Adaware & McAfee AND I've uninstalled the suspicious spyware programs that I found via the Control Panel. I have also did a scan using the Panda Software, and it found 19 viruses on my harddisks. However, when I tried to view the report, my IE browser wouldn't allow me because it was set in 'HIGH' security for the moment. So, I'm not sure what Panda Software found and what it removed. Embarassed When it was scanning, my entire screen was literally filled with pop-ups that just wouldn't stop showing up. Please help! Thanks! Very Happy


Logfile of HijackThis v1.99.1
Scan saved at 6:42:17 PM, on 4/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\system32\clubbox.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\andtqbjo\kvjfo.exe
C:\WINDOWS\system32\jutcspme\ppppdx.exe
C:\WINDOWS\system32\obkvjvey\nfscfvpx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AdsGone\adsgone.exe
C:\WINDOWS\system32\fscagent.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg2.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport\NTIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l
O4 - HKLM\..\Run: [kvjfo] C:\WINDOWS\system32\andtqbjo\kvjfo.exe
O4 - HKLM\..\Run: [ppppdx] C:\WINDOWS\system32\jutcspme\ppppdx.exe
O4 - HKLM\..\Run: [nfscfvpx] C:\WINDOWS\system32\obkvjvey\nfscfvpx.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clubbox.co.kr
O15 - Trusted Zone: http://www.iluvshinhwa.net
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {207048D8-A40B-4505-AE24-92FF13BEB269} (myDancerCTL Class) - http://www.anycall.com/i_event/dancefestival/help/myDancer1027.cab
O16 - DPF: {2C520C08-1ADA-4CEC-AFFD-D0D1BD268D60} (PDUpdate Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDUpdate.cab
O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://www.samsungcard.co.kr/XecureDemo/XecureObject/xw50_install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {A555B624-1393-46BD-ADFF-4455DD650FC5} (MediaShell T-Player Control) - http://mediashell.teruten.com/Download/TPlayer/21011/TPlayer.cab
O16 - DPF: {BCA9A936-F557-408E-8301-D5B2B302EFD6} (SiUpdaterCtrl Class) - http://www.anycall.com/i_event/dancefestival/help/iDanceUpdater1016.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab
O16 - DPF: {E76AAE10-AF57-4AEA-B33D-C3EDFA414DAE} (S2MPlayer Control) - http://musicmember.sbs.co.kr/Player/S2MPlayer.cab
O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr/new/sp2/SiteSigning.CAB
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox28 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\mvacm32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Back to top
View user's profile Send private message Send e-mail
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Mon Apr 04, 2005 11:09 pm    Post subject: Reply with quote

Hello and welcome to Spyware Warrior forums.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Exclamation Please head over to either Trend Micro or Panda ActiveScan and do an online, free, full system scan. Be sure and have the 'Auto Clean' button checked.
Trend Micro
Panda ActiveScan

Arrow Please go to Add/Remove, and if found, uninstall the following:
eMule


Arrow Please go to 'Task Manager' by hitting Ctrl+Alt+Delete and 'End Task' on the following process(es):
C:\WINDOWS\system32\clubbox.exe
C:\WINDOWS\system32\andtqbjo\kvjfo.exe
C:\WINDOWS\system32\jutcspme\ppppdx.exe
C:\WINDOWS\system32\obkvjvey\nfscfvpx.exe
C:\WINDOWS\system32\fscagent.exe


Arrow Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing


O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg2.dll


O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l

O4 - HKLM\..\Run: [kvjfo] C:\WINDOWS\system32\andtqbjo\kvjfo.exe

O4 - HKLM\..\Run: [ppppdx] C:\WINDOWS\system32\jutcspme\ppppdx.exe

O4 - HKLM\..\Run: [nfscfvpx] C:\WINDOWS\system32\obkvjvey\nfscfvpx.exe

O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE

O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart


O15 - Trusted Zone: http://www.clubbox.co.kr
O15 - Trusted Zone: http://www.iluvshinhwa.net
O15 - Trusted Zone: http://*.sbs.co.kr
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)


O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

O16 - DPF: {207048D8-A40B-4505-AE24-92FF13BEB269} (myDancerCTL Class) - http://www.anycall.com/i_event/dancefestival/help/myDancer1027.cab

O16 - DPF: {2C520C08-1ADA-4CEC-AFFD-D0D1BD268D60} (PDUpdate Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDUpdate.cab

O16 - DPF: {51C99F40-9E0E-4BF1-A92A-77121CC01AD0} (IMBCClient Control) - http://touch.imbc.com/ocx/touch.cab

O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab

O16 - DPF: {A555B624-1393-46BD-ADFF-4455DD650FC5} (MediaShell T-Player Control) - http://mediashell.teruten.com/Download/TPlayer/21011/TPlayer.cab

O16 - DPF: {BCA9A936-F557-408E-8301-D5B2B302EFD6} (SiUpdaterCtrl Class) - http://www.anycall.com/i_event/dancefestival/help/iDanceUpdater1016.cab

O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0002.exe

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/samsungcard/npx.cab

O16 - DPF: {E76AAE10-AF57-4AEA-B33D-C3EDFA414DAE} (S2MPlayer Control) - http://musicmember.sbs.co.kr/Player/S2MPlayer.cab

O16 - DPF: {E9702169-AFE2-477A-A79D-32151006E547} (IBSiteSigning.SiteSigning) - http://www.sbs.co.kr/new/sp2/SiteSigning.CAB

O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox28 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab


O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\mvacm32.dll


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\system32\mvacm32.dll <<<--file
C:\WINDOWS\IEXPLOR.EXE <<<--file
C:\Program Files\eMule<<<<---folder
C:\WINDOWS\system32\obkvjvey<<<<---folder
C:\WINDOWS\system32\jutcspme<<<<---folder
C:\WINDOWS\system32\andtqbjo<<<<---folder
C:\WINDOWS\system32\clubbox.exe<<<--file
C:\WINDOWS\system32\rtneg2.dll <<<--file
C:\WINDOWS\system32\fscagent.exe <<<--file


To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log please.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
blitzy
Newbie


Joined: 03 Apr 2005
Last Visit: 05 Apr 2005
Posts: 3
Location: USA

PostPosted: Tue Apr 05, 2005 12:55 pm    Post subject: New HijackThis log Reply with quote

I've done all of the steps above and removed all except:
C:\WINDOWS\system32\clubbox.exe
O15 - Trusted Zone: http://www.clubbox.co.kr
O15 - Trusted Zone: http://www.iluvshinhwa.net
O15 - Trusted Zone: http://*.sbs.co.kr

These are sites and programs that I know are safe to use. Smile

new log.....

Code:
Logfile of HijackThis v1.99.1
Scan saved at 3:52:01 PM, on 4/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\clubbox.exe
C:\WINDOWS\system32\ptytneoo\tavmfo.exe
C:\WINDOWS\system32\yxjrn\gqbsodd.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\canxkne\fcbfwgsd.exe
C:\WINDOWS\WinTask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AdsGone\adsgone.exe
C:\WINDOWS\system32\fscagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport\NTIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ClubBox] "C:\WINDOWS\system32\clubbox.exe" -l
O4 - HKLM\..\Run: [tavmfo] C:\WINDOWS\system32\ptytneoo\tavmfo.exe
O4 - HKLM\..\Run: [gqbsodd] C:\WINDOWS\system32\yxjrn\gqbsodd.exe
O4 - HKLM\..\Run: [fcbfwgsd] C:\WINDOWS\system32\canxkne\fcbfwgsd.exe
O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clubbox.co.kr
O15 - Trusted Zone: http://www.iluvshinhwa.net
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Back to top
View user's profile Send private message Send e-mail
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Tue Apr 05, 2005 1:25 pm    Post subject: Reply with quote

OK, got a few to get still.

Did either of the av scans remove anything?

Arrow Reboot into 'Safe Mode', go to 'Task Manager', and 'End Task' on the following process(es) if present:
C:\WINDOWS\system32\ptytneoo\tavmfo.exe
C:\WINDOWS\system32\yxjrn\gqbsodd.exe
C:\WINDOWS\system32\canxkne\fcbfwgsd.exe
C:\WINDOWS\WinTask.exe


Arrow Search for, and delete, if found, the following files/folders:
C:\WINDOWS\system32\ptytneoo<<<<---folder
C:\WINDOWS\system32\yxjrn<<<<---folder
C:\WINDOWS\system32\canxkne<<<<---folder
C:\WINDOWS\WinTask.exe<<<--file

Arrow While still in 'Safe Mode', run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O4 - HKLM\..\Run: [tavmfo] C:\WINDOWS\system32\ptytneoo\tavmfo.exe

O4 - HKLM\..\Run: [gqbsodd] C:\WINDOWS\system32\yxjrn\gqbsodd.exe

O4 - HKLM\..\Run: [fcbfwgsd] C:\WINDOWS\system32\canxkne\fcbfwgsd.exe

O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe

O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe



Arrow Reboot into Normal mode and post a new HJT log please.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
blitzy
Newbie


Joined: 03 Apr 2005
Last Visit: 05 Apr 2005
Posts: 3
Location: USA

PostPosted: Tue Apr 05, 2005 1:48 pm    Post subject: Reply with quote

The Panda ActiveScan only removed 2-3 viruses/trojans that it found. The rest couldn't be removed with the free version. And, no matter what I've done so far, the pop-ups continue to show up. When they do, it's not just one at a time, it's like 20 at once! Confused

Here's the new log:

Code:
Logfile of HijackThis v1.99.1
Scan saved at 4:42:31 PM, on 4/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport\NTIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.clubbox.co.kr
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Hopefully everything's okay now? *crosses fingers*
Back to top
View user's profile Send private message Send e-mail
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Tue Apr 05, 2005 4:28 pm    Post subject: Reply with quote

OK, give any of these other online scans a shot, tho, your log appears clear. BTW, where were the viruses found, file path location? Let me know.

Trend Housecall - http://housecall.trendmicro.com/

RAV AntiVirus Scan Online - http://www.ravantivirus.com/scan/

BitDefender Online Virus Scan - http://www.bitdefender.com/scan/licence.php

McAfee FreeScan - http://us.mcafee.com/root/mfs/default.asp

Symantec Scan - http://security1.norton.com/ssc/home.asp?j=1&langid=us&venid=sym&plfid=23&pkj=OOMWORVWHFHMFNZMBBX
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group