| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 64186 | 2005-12-06 18:11:00 | AIM Greeting Card Virus | scott1319k (9390) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 411132 | 2005-12-06 18:11:00 | I received a IM by a friend about a greeting card. I clicked it yesterday. I sent out the message today. What can I do to remove this? Has anyone heard of this? | scott1319k (9390) | ||
| 411133 | 2005-12-06 19:01:00 | Get this (www.merijn.org) Unzip it into its own folder, run it and scan and copy and paste the log here. |
Speedy Gonzales (78) | ||
| 411134 | 2005-12-06 22:19:00 | I think i got a couple viruses or somthing. I keep getting winfixer, i dont no if the aim thing is out, norton detected a 3 viruses and a trojan. Norton directed me to a program that removes trojans, I removed it, and its back. So basically I think i got a couple things wrong. Ad-aware also detects spyware right after I delete it. Logfile of HijackThis v1.99.1 Scan saved at 5:16:13 PM, on 12/6/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\lsass.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\DAP\DAP.EXE C:\Documents and Settings\scott1\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.dell4me.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.dell4me.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.dell4me.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ssqrq.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [USB Driver 2.0] system32.exe O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\RunServices: [USB Driver 2.0] system32.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\ulptcukl.exe O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - upload.facebook.com O20 - Winlogon Notify: geebx - geebx.dll (file missing) O20 - Winlogon Notify: ssqrq - C:\WINDOWS\System32\ssqrq.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe |
scott1319k (9390) | ||
| 411135 | 2005-12-07 00:04:00 | Run hijackthis again. Boot into safe mode, and tick these entries, and tick fix checked. Turn system restore off as well. Then reboot, and post another log here. C:\WINDOWS\lsass.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll (file missing) O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ssqrq.dll This entry looks like its part of winfixer. O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [USB Driver 2.0] system32.exe O4 - HKLM\..\RunServices: [USB Driver 2.0] system32.exe O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\ulptcukl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - upload.facebook.com O20 - Winlogon Notify: geebx - geebx.dll (file missing) O20 - Winlogon Notify: ssqrq - C:\WINDOWS\System32\ssqrq.dll Download this (securityresponse.symantec.com) and run it. It may remove Winfixer. And try this (dl.filekicker.com) as well. Download this click on update to update it, then click on scan. Then select option 3 to 7 under the utilities menu. |
Speedy Gonzales (78) | ||
| 411136 | 2005-12-07 00:31:00 | Hi It maybe best if you print out these instructions as you need to work in safe mode . . Please downloadVundoFix . exe ( . atribune . org/downloads/VundoFix . exe" target="_blank">www . atribune . org) to your desktop . Double-click VundoFix . exe to extract the files This will create a VundoFix folder on your desktop . After the files are extracted, please reboot your computer into Safe Mode by continually tapping the F8 key until a menu appears . Use your up arrow key to highlight Safe Mode then hit enter . Once in safe mode open the VundoFix folder and doubleclick on KillVundo . bat You will first be presented with a warning and a list of forums to seek help at . it should look like this VundoFix V2 . 1 by Atri By pressing enter you agree that you are using this at your own risk Please seek assistance at one of the following forums: . atribune . org/forums" target="_blank">www . atribune . org . 247fixes . com/forums" target="_blank">www . 247fixes . com . geekstogo . com/forum" target="_blank">www . geekstogo . com http://forums . net-integration . net Now press enter one time . You will now see: Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix . Then please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\ssqrq . dll Press Enter, then press the F6 key, then press Enter one more time to continue with the fix . Next you will see: Please type in the second filepath as instructed by the forum staff Then Press Enter, Then F6, Then Enter Again to continue with the fix . At this point please type the following file path (make sure to enter it exactly as below!) This will be the vundo filename spelt backwards . C:\WINDOWS\System32\qrqss . dll Press Enter, then press the F6 key, then press Enter one more time to continue with the fix . The fix will run then HijackThis will open . In HiJackThis, please place a check next to the following items and click FIX CHECKED: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . dell4me . com/myway" target="_blank">www . dell4me . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . dell4me . com/myway" target="_blank">www . dell4me . com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . dell4me . com/myway" target="_blank">www . dell4me . com O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\ssqrq . dll O20 - Winlogon Notify: geebx - geebx . dll (file missing) O20 - Winlogon Notify: ssqrq - C:\WINDOWS\System32\ssqrq . dll |
Pancake (6359) | ||
| 411137 | 2005-12-07 01:20:00 | I added these.... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.dell4me.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.dell4me.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.dell4me.com as some people consider this a privarcy violation and spyware.You dont have to remove them as its a users choice. :) |
Pancake (6359) | ||
| 411138 | 2005-12-07 04:35:00 | You may have something like this (www.trendmicro.com) or this (news.com.com) | Speedy Gonzales (78) | ||
| 1 | |||||