| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 72194 | 2006-09-03 08:20:00 | Unremovable virus... | Fishy (10540) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 482384 | 2006-09-03 08:20:00 | I have a virus on my computer that AVG is detecting called "Trojan horse Pakes.U" and "Trojan horse dialer.bzb". AVG's usual screen comes up asking to heal, ignore, or place in the vault comes up. So I put it in the vault and delete the file but 5 minutes later it comes back again. So I look where they are, temporary internet files and the temp folder. So I deleted everything in those two folders thinking it would be gone. But no, 5 minutes later it comes up again. So I do a virus scan, the scans say it's gone, but yep, you guessed it, 5 minutes later I get the virus alert again. So I started it in safe mode and deleted everything from the two folders. Still there.:mad: I have googled these two virus names but there is no help on how to get rid of them, just forums saying run antivirus scans and such. What do I do?:confused: Here is my HijackThis logfile Logfile of HijackThis v1.99.1 Scan saved at 7:17:16 p.m., on 3/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\LClock\LClock.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Stuff\Programs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - messenger.zone.msn.com O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - www.fileplanet.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - download.mcafee.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - spaces.msn.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - zone.msn.com O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - by13fd.bay13.hotmail.msn.com O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
Fishy (10540) | ||
| 482385 | 2006-09-03 08:54:00 | Use trojan remover (update it first), and go to the utils menu and select the 3rd-7th option And then go to the file menu / scan for active malware / scan running processes. And scan downloaded program files. The log looks fine to me. Or see if the info here (www.techspot.com) helps. And turn system restore off. |
Speedy Gonzales (78) | ||
| 482386 | 2006-09-03 21:03:00 | Use trojan remover (update it first), and go to the utils menu and select the 3rd-7th option And then go to the file menu / scan for active malware / scan running processes. And scan downloaded program files. The log looks fine to me. Or see if the info here (www.techspot.com) helps. And turn system restore off. Done all of the above already. It's still there. AVG is still popping up that it's there (www.imagef1.net.nz). |
Fishy (10540) | ||
| 482387 | 2006-09-03 21:55:00 | I am not an expert on windows things but it looks as if it should be removed from the temp internet folder first before you do as Speedy suggested.All this should take place in safe mode too I would think after System restore is disabled. |
kjaada (253) | ||
| 482388 | 2006-09-03 22:21:00 | I am not an expert on windows things but it looks as if it should be removed from the temp internet folder first before you do as Speedy suggested.All this should take place in safe mode too I would think after System restore is disabled. I have done that. I disabled system restore ages ago because I know trojans use it. So when I went in safe mode to delete them, they got deleted. Then more come back. So I think it is another virus making them maybe? Stupid viruses :badpc: |
Fishy (10540) | ||
| 482389 | 2006-09-03 22:36:00 | Silly question,but are you right up to date with windows SP's and updates.? | kjaada (253) | ||
| 482390 | 2006-09-03 22:59:00 | Yep, all up to date. | Fishy (10540) | ||
| 482391 | 2006-09-04 00:44:00 | download.bleepingcomputer.com Run Killbox.exe Select: Delete on Reboot C:\WINDOWS\SYSTEM32\winulg32.dll That should stop it recreating. |
pctek (84) | ||
| 482392 | 2006-09-04 00:48:00 | Nuther silly question: Did u go to "here" as in Speedy's reply.Seems to me there are a lot of steps to follow and some are critical.If you have gone thru all that process then I will retire and you will need to wait for a windows person to reply. |
kjaada (253) | ||
| 482393 | 2006-09-04 00:56:00 | download.bleepingcomputer.com Run Killbox.exe Select: Delete on Reboot C:\WINDOWS\SYSTEM32\winulg32.dll That should stop it recreating. I don't have that .dll. And now i'm getting all these popups from "WinAntivirusPro" saying it will fix my pc. :rolleyes: yea right. I'm not that dumb. The popups are coming in through IE. Ahhhhh how do I get rid of it :waughh: |
Fishy (10540) | ||
| 1 2 | |||||