Jump to content


Photo

Please help! spyware hell here!


  • Please log in to reply
8 replies to this topic

#1 deepquote

deepquote

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 June 2004 - 07:43 AM

Hi all,

I recently stumbled on your website amid all the pop ups that usually plague my desktop, and I have tried everything from adware 6 to McAfee spy center, as recommmend I have used online virus scans and the adware removers I mentioned. I just got hijack this and ran it for a log which is posted below.

Here is my problems.... 1. I've still got MAJOR popups, and 2. After following the suggestions I found for removing spyware, my computer has slowed to a Crawler, and my internet Explorer has gone haywire. It wont run, and it freezes in addition It wont let me reinstall it either. PLEASE HELP!

Heres the steps I have take so far.

Macfee Security center.
Virus Scan Result: CLean
Spwarekiller Result IST BAR Wild Tangent and People on PAge (removed)
Ran Housecall got halfway through got rebooted. Now I can no longer run house call due to IE not working. My browser is OPERA


Logfile of HijackThis v1.97.7
Scan saved at 8:39:50 AM, on 6/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WIN98\System32\smss.exe
C:\WIN98\system32\winlogon.exe
C:\WIN98\system32\services.exe
C:\WIN98\system32\lsass.exe
C:\WIN98\system32\svchost.exe
C:\WIN98\System32\svchost.exe
C:\WIN98\system32\spoolsv.exe
C:\WIN98\System32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WIN98\System32\nvsvc32.exe
C:\WIN98\System32\CTHELPER.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WIN98\System32\RUNDLL32.EXE
C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
C:\WIN98\System32\cqivgp.exe
C:\WIN98\System32\IEHost.exe
C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WIN98\System32\fcrec32.exe
C:\WIN98\System32\exprans.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Opera75\opera.exe
C:\WIN98\explorer.exe
\?\C:\WIN98\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Phoenix\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WIN98\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=146156
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...art.cgi?np-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...search/?np-hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WIN98\SYSTEM\blank.htm
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WIN98\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WIN98\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WIN98\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WIN98\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WIN98\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hvogKk5.exe] C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
O4 - HKLM\..\Run: [nvvjbrcyckmvy] C:\WIN98\System32\cqivgp.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [alchem] C:\WIN98\alchem.exe
O4 - HKLM\..\Run: [Bakra] C:\WIN98\System32\IEHost.exe
O4 - HKLM\..\Run: [hvogKk5] C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [o53V36g] fcrec32.exe
O4 - HKLM\..\Run: [kl] C:\WIN98\SYSTEM32\kl.exe
O4 - HKCU\..\Run: [Z2s9RWM7l] exprans.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316

#2 deepquote

deepquote

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 June 2004 - 07:45 AM

I'm running PANDA virus check now. Will post how that turns out.

#3 deepquote

deepquote

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 June 2004 - 07:47 AM

Problem with DL please restart. same error on restart. aw well it was worth a try

#4 deepquote

deepquote

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 June 2004 - 07:49 AM

Problem with DL please restart. same error on restart. aw well it was worth a try

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 27 June 2004 - 09:29 AM

Hi,
Uninstall via Add Remove:
IEHost (if exists)

[SysAI]
Uninstall SysAI > from here

What's up with this? C:\WIN98\explorer.exe
Are you dual-booting XP and 98? (Y/N)
If so are they installed on the same drive? (Y/N)

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WIN98\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=146156
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...art.cgi?np-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...search/?np-hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WIN98\SYSTEM\blank.htm
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WIN98\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [hvogKk5.exe] C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
O4 - HKLM\..\Run: [nvvjbrcyckmvy] C:\WIN98\System32\cqivgp.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [alchem] C:\WIN98\alchem.exe
O4 - HKLM\..\Run: [Bakra] C:\WIN98\System32\IEHost.exe
O4 - HKLM\..\Run: [hvogKk5] C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
O4 - HKLM\..\Run: [o53V36g] fcrec32.exe
O4 - HKLM\..\Run: [kl] C:\WIN98\SYSTEM32\kl.exe
O4 - HKCU\..\Run: [Z2s9RWM7l] exprans.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WIN98\System32\cqivgp.exe <--this file
C:\WIN98\System32\IEHost.exe <--this file
C:\WIN98\System32\fcrec32.exe <--this file
C:\WIN98\System32\exprans.exe <--this file
C:\WIN98\System32\SearchBar.htm <--this file
C:\WIN98\alchem.exe <--this file
C:\WIN98\System32\IEHost.exe <--this file
C:\WIN98\SYSTEM32\kl.exe <--this file
C:\WIN98\twaintec.dll <--this file
C:\WIN98\twaintec.ini <--this file
C:\PROGRAM FILES\Lycos <--this folder
C:\Program Files\SysAI <--this folder
C:\installer <--this folder

Restart normally and then ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button. Under "Log-file detail", select all options.

Click the "Tweaks" button. Under "Scanning Engine", select the following:
1) "Include additional Ad-aware settings in logfile"
2) "Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on Proceed to save these Preferences.
Note: make sure that you activate IN-DEPTH scanning before you proceed.

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 deepquote

deepquote

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 June 2004 - 07:30 AM

Ok, I did all that. know what?

Logfile of HijackThis v1.97.7
Scan saved at 8:39:25 AM, on 6/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WIN98\System32\smss.exe
C:\WIN98\system32\winlogon.exe
C:\WIN98\system32\services.exe
C:\WIN98\system32\lsass.exe
C:\WIN98\system32\svchost.exe
C:\WIN98\System32\svchost.exe
C:\WIN98\system32\spoolsv.exe
C:\WIN98\System32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\WIN98\System32\nvsvc32.exe
C:\WIN98\Explorer.EXE
C:\WIN98\System32\CTHELPER.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WIN98\System32\RUNDLL32.EXE
C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
C:\WIN98\System32\cqivgp.exe
C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Opera75\opera.exe
C:\Documents and Settings\Phoenix\My Documents\spyware removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WIN98\System32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WIN98\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WIN98\mxTarget.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WIN98\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WIN98\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WIN98\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WIN98\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hvogKk5.exe] C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
O4 - HKLM\..\Run: [nvvjbrcyckmvy] C:\WIN98\System32\cqivgp.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [hvogKk5] C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [o53V36g] fcrec32.exe
O4 - HKLM\..\Run: [kl] C:\WIN98\SYSTEM32\kl.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 29 June 2004 - 09:10 AM

Hi,

Ok, I did all that. know what?

Looks like you missed a few ...
Note: plus you never answered the above questions?

First thing to do is ...

Go to: Kaspersky Test one file
Click Browse, navigate to C:\WIN98\System32\cqivgp.exe
Highlight (single-click) and click Submit
Wait for the results, if "detected\infected" copy and paste the info and save it.

Do this for each of the below:
C:\WIN98\System32\cqivgp.exe <--this file
C:\WIN98\SYSTEM32\kl.exe <--this file
fcrec32.exe <--this file
Note: locate "fcrec32.exe" via Start > Search, and select: Advanced Options

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WIN98\System32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WIN98\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WIN98\mxTarget.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [hvogKk5.exe] C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
O4 - HKLM\..\Run: [nvvjbrcyckmvy] C:\WIN98\System32\cqivgp.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [hvogKk5] C:\documents and settings\phoenix\local settings\temp\hvogKk5.exe
O4 - HKLM\..\Run: [o53V36g] fcrec32.exe
O4 - HKLM\..\Run: [kl] C:\WIN98\SYSTEM32\kl.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WIN98\System32\cqivgp.exe <--this file
C:\WIN98\SYSTEM32\kl.exe <--this file
C:\WIN98\System32\SearchBar.htm <--this file
C:\WIN98\mxTarget.dll <--this file
c:\installer <--this folder
fcrec32.exe <--this file
Note: locate "fcrec32.exe" via Start > Search, and select: Advanced Options

Restart normally and then ...

Important! You are using an outdated version of HijackThis.
Download > HijackThis 1.98
Unzip, if prompted to "replace existing" select: Yes then rescan and past a fresh log.

Download Lavasoft's VX2 Cleaner plug-in here:
http://www.lavasofts...showtopic=33729

Important!
Your system is severly out of date!
Visit Windows Update and install all the "Critical Updates"
http://v4.windowsupd.../en/default.asp

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 deepquote

deepquote

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 July 2004 - 08:59 PM

updated, programs as instructed. Error on Windows SP1 still working on that upgrade. also could not get the virus site to scan files. did everything else.

I am running a system that was originally win 98 and upgraded to windows XP. It is a dual boot machine, one with win xp and mandrake linux.


heres the new logfile


Logfile of HijackThis v1.98.0
Scan saved at 10:07:11 PM, on 7/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WIN98\System32\smss.exe
C:\WIN98\system32\winlogon.exe
C:\WIN98\system32\services.exe
C:\WIN98\system32\lsass.exe
C:\WIN98\system32\svchost.exe
C:\WIN98\System32\svchost.exe
C:\WIN98\system32\spoolsv.exe
C:\WIN98\System32\drivers\CDAC11BA.EXE
C:\WIN98\System32\nvsvc32.exe
C:\WIN98\Explorer.EXE
C:\WIN98\System32\CTHELPER.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WIN98\System32\RUNDLL32.EXE
C:\WIN98\System32\cqivgp.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\ABC\abc.exe
C:\Program Files\Opera75\opera.exe
C:\Documents and Settings\Phoenix\My Documents\spyware removal\HijackThis.exe

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WIN98\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WIN98\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WIN98\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WIN98\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nvvjbrcyckmvy] C:\WIN98\System32\cqivgp.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://support.vugam.../sysinfo/Si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316

#9 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 July 2004 - 02:20 AM

Hi,

Error on Windows SP1 still working on that upgrade

What error?


Looks like you have one that keeps returning ...

Go to Posted Image Kaspersky Test one file
Click Browse, navigate to C:\WIN98\System32\cqivgp.exe
Highlight (single-click) and click Submit
Wait for the results, if "detected\infected" copy and paste the info in your next post.

Repeat the same here:

Go to Posted Image Jotti's Malware Scanner
Click Browse, navigate to C:\WIN98\System32\cqivgp.exe
Highlight (single-click) and click Submit
Wait for the results, if "detected\infected" copy and paste the info in your next post.

Next:

Close all open windows, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [nvvjbrcyckmvy] C:\WIN98\System32\cqivgp.exe


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WIN98\System32\cqivgp.exe <--this file

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button