[FIXED] My log

Jeroen · 10-18-2005

Hi, this is my log. Its huge

I know i should keep msgplus.exe and I know the WhenuSave thing comes with p2p software. Thats all i can derive from the list :P

joe5 · 10-19-2005

Hya Ge64 , dont look now but the "fix instuctions list" is even huger. :tongue:

Before using HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

For 98/2000/ME:

Double-click the My Computer icon
Click on the View menu, click Folder Options
Advanced Settings box, under the "Hidden files" folder, click Show all files.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

WinME.

Click Start > Settings > Control Panel.
Double-click the System icon.
If the System icon is not visible, click View all Control Panel options to display it.
On the Performance tab, click File System.
On the Troubleshooting tab check Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.

Uninstall "WhenUSave" and "PSGuard" in add and remove programs.

Please download CCleaner

Download CW-Shredder here.

Please download Process Explorer by Systernals from HERE

Also download KillBox by Option^Explicit from HERE

Download 'SpSeHjfix'. to the desktop and then right click a blank part of desktop & select new folder, call it spfix.

unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.

Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now boot in safemode (hit f8 when booting up)

Click Start>Run and type in: services.msc
Click OK
In the Services window find:

FanSpeedNT Service

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > “delete an NT service”
Copy and past:

FanSpeedNT Service

Click OK.

Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of ug.dll once and then click the kill button.
After you have killed all of the ug.dll's under winlogon click OK.
Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of ug.dll then click the kill button.
Once you have done that click OK again.

and then fix these with Hijackthis:
(if still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEroen\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEroen\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A394A5A2-C740-46FB-AB1A-6B6A96C3F63F} - C:\WINNT\system32\fcgc.dll
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JEroen\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O18 - Filter: text/html - {23E4A718-544C-4F45-B072-28AF6047863C} - C:\WINNT\system32\fcgc.dll
O18 - Filter: text/plain - {23E4A718-544C-4F45-B072-28AF6047863C} - C:\WINNT\system32\fcgc.dll
O21 - SSODL: dZSIPcKLvBxFEYA - {F0F619C3-5A5C-B369-4956-A7F6C2110FB3} - C:\WINNT\system32\ug.dll
O23 - Service: FanSpeedNT Service - Unknown owner - C:\DOCUME~1\JEroen\LOCALS~1\Temp\Rar$EX00.766\fans peedNT.exe" (file missing)

And delete the files in bold.

Now run the Shredder - Hit The FIX button! And also run Ccleaner.

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box

C:\WINNT\system32\ug.dll

Click the red circle with the white x and allow your computer to reboot.

Reboot and Download and run Ewido:

Download Ewido Security Suite
Install Ewido Security Suite.

When installing, under Additional Options uncheck Install background guard and Install scan via context menu

Launch Ewido, there should be a big "E" icon on your desktop, double-click it.

The program will prompt you to update click the "OK" button

The program will now go to the main screen

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update

Click on Start

The update will start and a progress bar will show the updates being installed.*

After the updates are installed, exit ewido.

Once the updates are installed do the following:
If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Reboot into Safe Mode, restart your computer, tap the F8* key. Use your up arrow key to highlight Safe Mode, then hit enter.

Close all open windows/programs/folders and then run Ewido.* Have nothing else open while ewido performs its scan!
Click on Scanner , Settings

Under "How to scan" all boxes should be selected

Under "Possibly unwanted software" all boxes should be selected

Under "What to scan" select scan every file

Click OK, Complete system scan

Let the program scan the machine

If ewido finds anything, it will pop up a notification.*

NOTE:* We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one.* If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged.* In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action.*

DO NOT check "Perform action with all infections."* If you are unsure of an entry, select "none" for the time being.* We will see that in the log when you post it later and let you know if ewido needs to be run again.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

Click Save report. Save the report to your desktop, exit ewido

Note:

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and run a new scan.

After that post a fresh HJT log and the log that was created by 'SpSeHjfix' plus the Ewido log.

Jeroen · 10-19-2005

Ewido scan is taking ages... 320GB of old never-thrown-away files. I'll edit this post when its finished and post the new logs.

Jeroen · 10-19-2005

Hm cant edit it.. oh well. Here's my new logs. Ewido took me over an hour (52 minutes scanning, then took it at least 10 minutes to remove one big rar archive). I skipped 2 files I actually made myself :P it recognised them as Not-a-virus.Flooder.VB or something.

joe5 · 10-20-2005

Looks great! Everything is gone. :cool:

You can still fix these with hjt but no biggie:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

Youre pc must be running alot better now.

Marked as fixed.

Jeroen · 10-20-2005

Yeh Thanks a LOT!!! No problems at ALl after this, Windows Update works again, Counter-Strike Source works again, NO MORE POPUPS!! and I think I noticed I lagged less on the internet

joe5 · 10-20-2005

Good news! and youre welcome.

10-19-2005	#2
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	Hya Ge64 , dont look now but the "fix instuctions list" is even huger. :tongue: Before using HijackThis Please Do the Following: Show hidden files and folders: For XP: On the Tools menu in Windows Explorer, click Folder Options. Click the View tab. Under Hidden files and folders, click Show hidden files and folders. If you see a warning message, click Yes. Click Apply. Click OK. For 98/2000/ME: Double-click the My Computer icon Click on the View menu, click Folder Options Advanced Settings box, under the "Hidden files" folder, click Show all files. If you see a warning message, click Yes. Click Apply. Click OK. Disable System Restore to prevent re-infection. (If you have/use it. You can turn it back on when youre PC is clean). How to disable system restore: WinXP. Click the Start button. Right-click My Computer, and then click Properties. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives. WinME. Click Start > Settings > Control Panel. Double-click the System icon. If the System icon is not visible, click View all Control Panel options to display it. On the Performance tab, click File System. On the Troubleshooting tab check Disable System Restore. Click OK. Click Yes, when you are prompted to restart Windows. Uninstall "WhenUSave" and "PSGuard" in add and remove programs. Please download CCleaner Download CW-Shredder here. Please download Process Explorer by Systernals from HERE Also download KillBox by Option^Explicit from HERE Download 'SpSeHjfix'. to the desktop and then right click a blank part of desktop & select new folder, call it spfix. unzip the file into that folder. Disconnect from the net and Close ALL OPEN PROGRAMS. Run 'SpSeHjfix'. and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage. Now boot in safemode (hit f8 when booting up) Click Start>Run and type in: services.msc Click OK In the Services window find: FanSpeedNT Service Select/highlight and right click the entry, and choose: Properties On the General tab, under Service Status click the Stop button Beside: Startup Type, in the drop menu, select: Disabled Click Apply, then OK Open HJT and click config > misc tools > “delete an NT service” Copy and past: FanSpeedNT Service Click OK. Unzip Process Explorer and double click on procexp.exe In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top. Once you see this screen click on each instance of ug.dll once and then click the kill button. After you have killed all of the ug.dll's under winlogon click OK. Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of ug.dll then click the kill button. Once you have done that click OK again. and then fix these with Hijackthis: (if still present) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEroen\LOCALS~1\Temp\se.dll/space.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JEroen\LOCALS~1\Temp\se.dll/space.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {A394A5A2-C740-46FB-AB1A-6B6A96C3F63F} - C:\WINNT\system32\fcgc.dll O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\JEroen\LOCALS~1\Temp\se.dll,DllInstall O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O18 - Filter: text/html - {23E4A718-544C-4F45-B072-28AF6047863C} - C:\WINNT\system32\fcgc.dll O18 - Filter: text/plain - {23E4A718-544C-4F45-B072-28AF6047863C} - C:\WINNT\system32\fcgc.dll O21 - SSODL: dZSIPcKLvBxFEYA - {F0F619C3-5A5C-B369-4956-A7F6C2110FB3} - C:\WINNT\system32\ug.dll O23 - Service: FanSpeedNT Service - Unknown owner - C:\DOCUME~1\JEroen\LOCALS~1\Temp\Rar$EX00.766\fans peedNT.exe" (file missing) And delete the files in bold. Now run the Shredder - Hit The FIX button! And also run Ccleaner. Double click on Killbox.exe and then check the delete on reboot button. Enter the following filepath and filename into the Full path of file to delete box C:\WINNT\system32\ug.dll Click the red circle with the white x and allow your computer to reboot. Reboot and Download and run Ewido: Download Ewido Security Suite Install Ewido Security Suite. When installing, under Additional Options uncheck Install background guard and Install scan via context menu Launch Ewido, there should be a big "E" icon on your desktop, double-click it. The program will prompt you to update click the "OK" button The program will now go to the main screen You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed.* After the updates are installed, exit ewido. Once the updates are installed do the following: If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. Reboot into Safe Mode, restart your computer, tap the F8* key. Use your up arrow key to highlight Safe Mode, then hit enter. Close all open windows/programs/folders and then run Ewido.* Have nothing else open while ewido performs its scan! Click on Scanner , Settings Under "How to scan" all boxes should be selected Under "Possibly unwanted software" all boxes should be selected Under "What to scan" select scan every file Click OK, Complete system scan Let the program scan the machine If ewido finds anything, it will pop up a notification.* NOTE:* We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one.* If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged.* In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action.* DO NOT check "Perform action with all infections."* If you are unsure of an entry, select "none" for the time being.* We will see that in the log when you post it later and let you know if ewido needs to be run again. Once the scan has completed, there will be a button located on the bottom of the screen named Save report. Click Save report. Save the report to your desktop, exit ewido Note: If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and run a new scan. After that post a fresh HJT log and the log that was created by 'SpSeHjfix' plus the Ewido log. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get> Last edited by joe5; 10-19-2005 at 02:57 PM.

10-20-2005	#5
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	Looks great! Everything is gone. :cool: You can still fix these with hjt but no biggie: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Youre pc must be running alot better now. Marked as fixed. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

10-20-2005	#6
Jeroen Mac User Join Date: Oct 2005 Location: Hong Kong Posts: 320 PC Experience: Diversely Experienced	Yeh Thanks a LOT!!! No problems at ALl after this, Windows Update works again, Counter-Strike Source works again, NO MORE POPUPS!! and I think I noticed I lagged less on the internet __________________ Rules - Prework - Reputation System - Dark Style - Publish PC Specs Been helped by anyone? Click and consider a Donation! Always have a copy of Knoppix handy!

10-20-2005	#7
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	Good news! and youre welcome. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode