Results 1 to 5 of 5
  1. #1
    Member Pufferfish's Avatar
    Join Date
    Aug 2005
    Posts
    23
    Points
    0

    Default adware detected after scan but cold ot delete.

    dear all,

    everytime when i turn on my computer, it shows its windows XP background pic, and then there's an error message saying that there's an error in iexplorer.

    i've done the panda scan and it found 4 adware, namely gator, dudu, sbsoft and commad. I've tried many times to remove them but all efforts failed. The gator was detected in the directory \WINDOWS\Downloaded Program Files, yet even when I browsed the directory in command prompt, it didn't exist! (I've selected in the windows explorer to reveal all hidden files; also i've selected to close the windows file restore function already). There are lots of .exe programs that i don't know whether i should delete or not in the Hijackthis log.

    Here's the log from Hijackthis, could anyone pls help?!!
    Logfile of HijackThis v1.99.1
    Scan saved at 0:43:10, on 4/8/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iISystem Wiper\SystemWiper.exe
    C:\WINDOWS\System32\conime.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O3 - Toolbar: 6ó_(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [hfmgg.exe] C:\WINDOWS\System32\hfmgg.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
    O8 - Extra context menu item: mxie ”H - C:\Program Files\mxie\Config/protocol.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java ;§ð - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst. cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1A040638-3FDB-43A7-8 C78-6F9E419F1386}: NameServer = 85.255.116.89,85.255.112.204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{961BED15-54FD-4B1B-9 87F-9478DF69F0F1}: NameServer = 85.255.116.89,85.255.112.204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B2D32A65-9896-44BD-8 A05-E8ACEAE8E79B}: NameServer = 85.255.116.89,85.255.112.204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF91259E-C89C-403D-A B6D-E7F0170C4549}: NameServer = 85.255.116.89 85.255.112.204
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.204
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1A040638-3FDB-43A7-8 C78-6F9E419F1386}: NameServer = 85.255.116.89,85.255.112.204
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.204
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1A040638-3FDB-43A7-8 C78-6F9E419F1386}: NameServer = 85.255.116.89,85.255.112.204
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.89 85.255.112.204
    O20 - Winlogon Notify: ideusr50 - ideusr50.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

  2. #2
    Member Spyware Fighter Clark76's Avatar
    Join Date
    Feb 2006
    Location
    Cleveland, Ohio
    Posts
    1,359
    Points
    239

    Default

    Pufferfish


    You need to update your windows. Download service pack 1a from here: http://www.download.com/Windows-XP-S...ml?tag=lst-0-1
    Without installing sp1a your computer will be a magnet for malware. A word of caution though, do not download and install service pack 2 till after you have a clean bill of health from the experts here at Helptogo. Sp2 does not install well on an infected system. After sp1a is installed post a new Hijackthis log.

    benc

  3. #3
    Member Pufferfish's Avatar
    Join Date
    Aug 2005
    Posts
    23
    Points
    0

    Default

    Thanks. But I use the Chinese windows XP and the link you provided only let me download the version for english windows. I tried to search but could not find the chinese version to download! any recommendations? sorry for the trouble.

  4. #4
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Really have not very hard look at this log, since no SP1a installed as it a waste of time, in the long run.

    I do see that you are in Hong Kong, by your IP address.

    First these have to go:

    Disconnect from the internet, close all browsers windows including this one.

    Check the following files to have HJT fix:

    ALL THE 017 Entires

    Press the fixed check button. Close the HJT program

    Re boot the PC.

    I have an acquaintance in Hong Kong, in a different PC help forum. I will write him and see what he has to say, on SP1a. It may just be a language pack thing and since you speak English, it may be the same. It may be a few days as I think he has been sick

    What version of XP are you using ?

    BG

  5. #5
    Member Spyware Fighter Clark76's Avatar
    Join Date
    Feb 2006
    Location
    Cleveland, Ohio
    Posts
    1,359
    Points
    239

    Default

    Not sure how different chinese windows XP is from english but here is a different option to try though.
    click start>settings>control panel>automatic updates>Windows Update Web site>custom
    Under "select by type" click on High Priority. Is service pack 1 in the list anywhere? If so check the box next to it and then click "review and install updates" If you have a dialup internet connection this will take a long time to install and you will have to restart your computer. Let us know if this works.

    benc