Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HiJackthis log - popups return on startup 1

Status
Not open for further replies.
lacasa

lacasa

MIS
Jan 16, 2003
106
US
I have used latest versions and definitions of Spybot, Giant ,Ad-aware. It appears they remove them, but as soon as I reboot popups come back like the Elite searchbar. I probably should run the above programs in safe mode? Is it necessary to disable System restore? My modem also does not work anymore - perhaps it is related to spyware. This is my hijackthis log. Thanks for any help.

Logfile of HijackThis v1.98.2
Scan saved at 11:04:21 AM, on 12/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\System32\alsyfd.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MIS 2.0\Host.exe
C:\Program Files\MIS 2.0\MIS.exe
C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
P:\Computer Help\Programs\Hijack this\HijackThis.exe

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [vkmoykv] C:\WINDOWS\System32\alsyfd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvdii32.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Shortcut to Host.lnk = ?
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lacasainc.org
O17 - HKLM\Software\..\Telephony: DomainName = lacasainc.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABB2F5B5-84CE-4636-8798-145639EAE8D6}: NameServer = 192.168.0.150
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lacasainc.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lacasainc.org
 
Sort by date Sort by votes
you need to turn off system restore, or they come back. rerun your progs and make sure they are up to date.

Run an online antivirus check from at least one and preferably 2 of the following sites....

make sure autoclean is enabled on the scans

go to this site and download these tools and once you get both
adaware and spybot, update both of them.Set adaware to deep scan and
Delete everything adaware finds and delete what spybot finds marked in red.
With cwshredder close all browsers and programmes and select the fix button.




. SpyBot search and destroy
. cwshredder
. AdAware

post another log after cleaning
 
Upvote 0 Downvote
Do as pechenegs recommends and turn off system restore.
Use Hijack This to remove these entries:

O4 - HKLM\..\Run: [vkmoykv] C:\WINDOWS\System32\alsyfd.exe

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvdii32.exe

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) -

Reboot into safe mode.

Delete this file:

C:\WINDOWS\System32\alsyfd.exe

REboot.



Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
carr

Thanks for help. Sorry for delay in responding - I have been gone. I have now cleaned machine and is much better. I did not remove these two entries because I found
these entries on several other clients.

O4 - HKLM\..\Run: [vkmoykv] C:\WINDOWS\System32\alsyfd.exe

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvdii32.exe

I search Microsoft and Google and cannot find these files listed. This is either good or bad. Do you know these files?

Spybot, Adaware, Giant does not pick them up - only Hijack this.

Thanks for help everyone.
 
Upvote 0 Downvote
This one also needs to go:

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

John
 
Upvote 0 Downvote
Thanks jrbarnett.

Are you familiar with these? Should I delete them?

O4 - HKLM\..\Run: [vkmoykv] C:\WINDOWS\System32\alsyfd.exe

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvdii32.exe
 
Upvote 0 Downvote
Lacasa,
I'm not sure about the first 04 entry, but the one for other one definitely should be removed. A search for kalvsys at reveals that it's the Elite searchbar installer.

Maybe you didn't find it because the exe is different. It's always kalv****.exe, but the **** is randomly generated.

HTH,
Melissa
 
Upvote 0 Downvote
lacasa

If you have files that you did not install, that you do not recognize, that you cannot get any good properties information for, and you cannot get any google information on, that is a pretty good indication that they are bad.

If you want to take a conservative approach when working with a file like that, rename it rather than deleting it, and see if problems result.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
784
Yoko Littner
Yoko Littner
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
186
SamBones
SamBones
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
197
goombawaho
goombawaho
2ffat
  • Locked
  • News
C-Ware Bundled on "ALL" Freeware Sites
Replies
6
Views
201
xit
xit
goombawaho
  • Locked
  • Question
Stop Microsoft Security Essentials pop-up on XP machines 1
Replies
9
Views
226
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top