|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
March 1st, 2006, 07:52 PM
|
||||
|
||||
Two Questions
Hello All
I have been away for a long time.... Sorry, my health is much better and I missed the forums. I have questions One is about a program called BHODEMON, which is a utility recommended as good malware removal on this site.. Question : Why does Avast antivirus pick this install as a trojan virus? File name "C:\Program Files\BHODemon2\BHODemon20List.ini" it also has an avast scanner message C:\Program Files\BHODemon 2\is-7QUEC.tmp contains sample of "win32:Agent-JB [Trj] The second question is about a program called Win Duh I am trying to help a couple clean and prepare their computer for their daughter after their new comp. purchase. This program I found in the add/remove programs section Win Duh and I am unable to remove it. I was planning to use killbox to remove it. However I am now concerned about Virii?? Any assistance is good.. (K) TIA VERY MUCH 
|
|
#2
March 3rd, 2006, 08:09 PM
|
||||
|
||||
|
had to edit no replies..should i repost somewhere else?
|
|
#3
March 3rd, 2006, 11:17 PM
|
|||
|
|||
|
Hi,
Because certainly there are some codes which are the same that some bad files. For the second question, I do not find any good info about a Win Duh program. Could you post this log, please : Download HijackThis 1.99.1 from: HERE. Create a new folder only for HijackThis (Example : C:\HJT).But don't let it on your desktop or in a temp folder! Unzip it to this folder. Click "Scan", after click "Save Log". Save the log, and copy/paste it into your response to this thread. Dont check or fix anything yet.
|
|
#4
March 8th, 2006, 06:19 AM
|
||||
|
||||
|
My hijack this log is as follows sorry for the delay daughter busted head open
9 stitches.. Logfile of HijackThis v1.99.1 Scan saved at 9:20:42 PM, on 3/7/06 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index....10244&ttid=104 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesea...d=0&id=5.20013 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesea...d=0&id=5.20013 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesea...d=0&id=5.20013 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;;<local> O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file) O2 - BHO: (no name) - {382518E4-928F-B24E-F238-330865A88F44} - C:\WINDOWS\SYSTEM\BTEC6395.DLL O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - C:\WINDOWS\MSBBHOOK.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION2\VTRAY.EXE /s O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe" O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" O4 - HKLM\..\Run: [Gxofpk] C:\PROGRAM FILES\FPCWAS\BPDGN.EXE O4 - HKLM\..\Run: [Khudf] C:\PROGRAM FILES\JPDO\CQVAQXM.EXE O4 - HKLM\..\Run: [8DbOoLSg] C:\RHJRWVB.EXE O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\REGISTRY CLEANER TRIAL\REGCLEAN.EXE" O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/...er/Install.cab O21 - SSODL: gKnrezYsHTdd - {382518DE-928F-B274-38B4-221C65A88F41} - C:\WINDOWS\SYSTEM\AXPQXQ.DLL This is not my computer and I am trying to fix before thurs usa time so that can be handed down, Thanks again (K)
|
|
#5
March 8th, 2006, 10:44 PM
|
|||
|
|||
|
Ok. There are some bad files to remove.
Close all browser windows, run only HijackThis and tick : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index....10244&ttid=104 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesea...d=0&id=5.20013 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesea...d=0&id=5.20013 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesea...d=0&id=5.20013 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q= O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file) O2 - BHO: (no name) - {382518E4-928F-B24E-F238-330865A88F44} - C:\WINDOWS\SYSTEM\BTEC6395.DLL O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - C:\WINDOWS\MSBBHOOK.DLL O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" O4 - HKLM\..\Run: [Gxofpk] C:\PROGRAM FILES\FPCWAS\BPDGN.EXE O4 - HKLM\..\Run: [Khudf] C:\PROGRAM FILES\JPDO\CQVAQXM.EXE O4 - HKLM\..\Run: [8DbOoLSg] C:\RHJRWVB.EXE O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O21 - SSODL: gKnrezYsHTdd - {382518DE-928F-B274-38B4-221C65A88F41} - C:\WINDOWS\SYSTEM\AXPQXQ.DLL Click "Fix checked". Now, Make sure that you can view hidden files and folders, as explained HERE uncheck "Hide Extensions for Known File Types". Reboot in safe mode and delete : ISTsvc <- the folder (with "Search") C:\PROGRAM FILES\POWER SCAN\ <- the folder C:\PROGRAM FILES\WEB_REBATES <-the folder C:\PROGRAM FILES\FPCWAS\<-the folder C:\PROGRAM FILES\JPDO\ <-the folder C:\RHJRWVB.EXE <-the file C:\Program Files\SurfAccuracy\ <-the folder Empty the recycle bin. Reboot in normal mode. Run this online scan and copy/paste its report with a new log, please.
|
|
#6
March 8th, 2006, 11:31 PM
|
||||
|
||||
|
Something is wrong,Second HJT files
Logfile of HijackThis v1.99.1
Scan saved at 2:39:31 PM, on 3/8/06 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\VOYETRA\AUDIOSTATION2\VTRAY.EXE C:\WINDOWS\GWHOTKEY.EXE C:\WINDOWS\STARTER.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE C:\PROGRAM FILES\JPDO\CQVAQXM.EXE C:\RHJRWVB.EXE C:\PROGRAM FILES\REGISTRY CLEANER TRIAL\REGCLEAN.EXE C:\PROGRAM FILES\TRUEASSISTANT\TRUEASSISTANT.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE C:\WINDOWS\EXPLORER.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index....10244&ttid=104 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;;<local> O2 - BHO: (no name) - {382518E4-928F-B24E-F238-330865A88F44} - C:\WINDOWS\SYSTEM\BTEC6395.DLL O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - C:\WINDOWS\MSBBHOOK.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION2\VTRAY.EXE /s O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe" O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" O4 - HKLM\..\Run: [Gxofpk] C:\PROGRAM FILES\FPCWAS\BPDGN.EXE O4 - HKLM\..\Run: [Khudf] C:\PROGRAM FILES\JPDO\CQVAQXM.EXE O4 - HKLM\..\Run: [8DbOoLSg] C:\RHJRWVB.EXE O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O4 - HKCU\..\Run: [Yahoo! Pager] 1 O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\REGISTRY CLEANER TRIAL\REGCLEAN.EXE" O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/...er/Install.cab O21 - SSODL: gKnrezYsHTdd - {382518DE-928F-B274-38B4-221C65A88F41} - C:\WINDOWS\SYSTEM\AXPQXQ.DLL 
|
|
#7
March 9th, 2006, 10:39 PM
|
|||
|
|||
|
Strange...First, disable REGISTRY CLEANER the time needed to clean. Then :
Check and "fix" the same lines with HijackThis, close it. Download Pocket Killbox from HERE. Run Killbox and paste the full file path of each of the below files in the box and tick "Delete on Reboot". Next click on the button with the red circle and an X in the middle ("Delete file"). You will get a message saying "File will be deleted on next reboot" Click "Yes" and another : " Files will be removed on reboot. Do you want to reboot now ?" . Click "No" Click "Yes" after the last file and post a new log when you have rebooted. C:\PROGRAM FILES\JPDO\CQVAQXM.EXE C:\RHJRWVB.EXE C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe C:\PROGRAM FILES\FPCWAS\BPDGN.EXE C:\Program Files\SurfAccuracy\SAcc.exe C:\WINDOWS\SYSTEM\AXPQXQ.DLL Note : for C:\WINDOWS\SYSTEM\AXPQXQ.DLL tick "Unregister dll" too.
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| I have questions, lots of questions! | Smoothie | Networking | 1 | November 5th, 2007 11:40 PM |
| 4 questions | ibmman476 | Windows 98 | 1 | September 9th, 2007 12:48 AM |
| Many Questions | BUFFY1818 | Windows Vista | 8 | August 13th, 2007 02:53 AM |
| 2 questions | realshmeal | Windows XP | 8 | August 5th, 2007 06:34 AM |
| 2 Questions | misterbadnback | Windows XP | 2 | March 22nd, 2004 04:07 PM |
All times are GMT +1. The time now is 04:51 PM.