Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

G

gmacias4

1 Message

290

January 12th, 2006 14:00

RE:win32.beovens virus please advise about saved log

​ Logfile of HijackThis v1.99.1 ​
​Scan saved at 9:06:25 AM, on 1/12/2006 ​
​Platform: Windows XP SP2 (WinNT 5.01.2600) ​
​MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) ​
​ Running processes: ​
​C:\WINDOWS\System32\smss.exe ​
​C:\WINDOWS\system32\winlogon.exe ​
​C:\WINDOWS\system32\services.exe ​
​C:\WINDOWS\system32\lsass.exe ​
​C:\WINDOWS\system32\svchost.exe ​
​C:\WINDOWS\System32\svchost.exe ​
​C:\WINDOWS\Explorer.EXE ​
​C:\WINDOWS\system32\spoolsv.exe ​
​C:\windows\system\hpsysdrv.exe ​
​C:\HP\KBD\KBD.EXE ​
​C:\Program Files\Common Files\Real\Update_OB\realsched.exe ​
​C:\Program Files\iTunes\iTunesHelper.exe ​
​C:\Program Files\QuickTime\qttask.exe ​
​C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe ​
​C:\WINDOWS\system32\S3tray2.exe ​
​C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe ​
​C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe ​
​C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe ​
​C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe ​
​C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe ​
​C:\Program Files\Messenger\msmsgs.exe ​
​C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe ​
​C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe ​
​C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe ​
​C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe ​
​C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe ​
​C:\WINDOWS\System32\inetsrv\inetinfo.exe ​
​C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe ​
​C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe ​
​C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe ​
​C:\Program Files\iPod\bin\iPodService.exe ​
​C:\Program Files\Internet Explorer\iexplore.exe ​
​C:\Program Files\HijackThis\HijackThis.exe ​
​ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ​​http://www.elp.rr.com/​​ ​
​R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ​​http://qus7.hpwis.com/​​ ​
​N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\c3gnfjq9.slt\prefs.js) ​
​O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll ​
​O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll ​
​O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll ​
​O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll ​
​O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll ​
​O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe ​
​O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe ​
​O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe ​
​O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE ​
​O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r ​
​O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot ​
​O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe" ​
​O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" ​
​O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ​
​O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize ​
​O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded ​
​O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe ​
​O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime ​
​O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe ​
​O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe ​
​O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE ​
​O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" ​
​O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k ​
​O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u ​
​O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" ​
​O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" ​
​O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" ​
​O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe ​
​O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ​
​O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook ​
​O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background ​
​O4 - Startup: Update Kreate-A-Key.lnk = C:\Program Files\InstaCode\WiseUpdt.exe ​
​O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE ​
​O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe ​
​O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe ​
​O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html ​
​O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html ​
​O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html ​
​O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html ​
​O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html ​
​O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html ​
​O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll ​
​O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll ​
​O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll ​
​O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll ​
​O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll ​
​O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ​
​O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe ​
​O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) ​
​O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll ​
​O16 - DPF: ppctlcab - ​​http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab​​ ​
​O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - ​​http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab​​? ​
​O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - ​​http://ppupdates.ca.com/downloads/scanner/axscanner.cab​​ ​
​O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - ​​https://oca.microsoft.com/en/secure/ocarpt.CAB​​ ​
​O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll ​
​O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe ​
​O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe ​
​O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe ​
​O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe ​
​O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe ​
​O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe ​
​O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) ​
​O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe ​
​O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe ​
​ ​

SpotCheckBilly

932 Posts

January 14th, 2006 00:00

Hello gmacias4,

Looking at your HJT scan, I don't see any indication of win32.beovens. What scan were you using and can you give me the exact file path and filename that the Scan said was infected.

Next, it looks like you are running to antivirus systems. Antivirus programs very seldom work well together and often will actually result in a loss of protection. You should really pick one of them and uninstall the other.

Not really a whole lot going on in your log, so let's take care of that and go from there.
We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
  • Click Tools=>Settings.
  • In the left pane Click Real-time Protection.
  • Under Startup Options Uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection
  • Uncheck Enable real-time spyware threat protection (recommended).
  • Click Save button.
  • Close Microsoft AntiSpyware.
  • Right Click the Microsoft AntiSpyware icon on the taskbar.
  • Select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.
Go to Add/Remove programs and remove(uninstall) the following, if present:

Viewpoint Manager

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
Run HiJackThis then:

1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
4. Hold down the CTRL key,
5. Cclick ( highlight) each of the following ( if present):

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

6. Make sure that only those item(s) above are highlighted.
7. Click " Kill process".
8. Click " Refresh",
9. Check again. Repeat this step if any remain.
Run HiJackThis and click " Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k -->Note: This is not a bad entry, it just doesn't need to be run at every startup.
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u -->Note: This is not a bad entry, it just doesn't need to be run at every startup.
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

With all windows closed except HiJackThis, click " Fix checked".
When you're done, rescan your system and make sure the following isn't present:

N3 - Netscape ... 5CSBWeb_01.src ( or) 5CSBWeb_02.src

If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.
From " Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:

To show hidden files :

1. Click Start=> Control Panel=> Folder Options=> View tab.
2. Select " Show hidden files and folders"
3. Clear the check mark in " Hide protected operating system files"=> Yes to confirm.
4. Click Apply=> OK.
5. Close Control Panel.

folders...

C:\Program Files\Viewpoint

Search for...

ALCXMNTR.EXE

...using " Start=>Search...".

Note that some of these file(s) may not be present.
Post back a new log, and let me know how things are going. :smileyhappy:

George a.k.a. SpotCheckBilly

View More

View All

No Events found!

Top