Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I Fixed it


  • Please log in to reply
58 replies to this topic

#1 Exspider

Exspider

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 30 January 2005 - 08:56 AM

Logfile of HijackThis v1.98.2
Scan saved at 7:38:59 AM, on 1/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Bart\LOCALS~1\Temp\tmpC.tmp
C:\Program Files\ACD Systems\ACDSee\ACDSee.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Bartimus.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = d:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///c:/Bartimus.net/index.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096499455562
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6662A3FB-C475-446F-89BD-7C2E529D01D8}: NameServer = 216.176.95.129,216.176.95.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{6662A3FB-C475-446F-89BD-7C2E529D01D8}: NameServer = 216.176.95.129,216.176.95.161
Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:09 PM

Posted 30 January 2005 - 02:17 PM

Hello Bartimus and welcome to BC. I am presently reviewing your log and will respond back to you as quickly as I can.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:09 PM

Posted 01 February 2005 - 12:25 AM

Hello again Bartimus. After reviewing your log I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot even if that means leaving the computer on till I get back to you.

Now please create a new Hijackthis Log and post it as a reply.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 Exspider

Exspider
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 01 February 2005 - 06:00 AM

Sorry. I had 2 threads going. I re-enabled all startup items and am using the latest version of HiJackThis now. Here is the log file.
Logfile of HijackThis v1.99.0
Scan saved at 4:55:16 AM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Bart\LOCALS~1\Temp\tmpC.tmp
C:\Program Files\ACD Systems\ACDSee\ACDSee.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Bartimus.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = d:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///c:/Bartimus.net/index.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [yvql] c:\windows\yvql.exe
O4 - HKLM\..\Run: [wttozg] C:\WINDOWS\System32\bmuttcnt.exe
O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [sfcfgn] C:\WINDOWS\sfcfgn.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ofwvaj] C:\WINDOWS\ofwvaj.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [MBFREcge.exe] C:\documents and settings\bart\local settings\temp\MBFREcge.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB001" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [8VNMHFPW.exe] C:\documents and settings\bart\local settings\temp\8VNMHFPW.exe
O4 - HKLM\..\Run: [3@Q#8P33557LX3] C:\WINDOWS\System32\Reyd5kLS.exe
O4 - HKLM\..\Run: [1c7T] C:\WINDOWS\wqxcx.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [163275f8d246] C:\WINDOWS\System32\authz282.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Ohq] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Enro] C:\Documents and Settings\Bart\Application Data\masr.exe
O4 - Startup: winupdate18260142[1].exe
O4 - Startup: winupdate24921484[1].exe
O4 - Startup: winupdate72987818[1].exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096499455562
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6662A3FB-C475-446F-89BD-7C2E529D01D8}: NameServer = 216.176.95.129,216.176.95.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{6662A3FB-C475-446F-89BD-7C2E529D01D8}: NameServer = 216.176.95.129,216.176.95.161
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (read only) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

#5 Exspider

Exspider
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 01 February 2005 - 06:28 AM

Thanks OT!
I don't mean to be a pain & I will refrain from doing anything else until I hear from you. I hope changing my user name from bartimus to Exspider didn't cause you any problems.
I really do appreciate your help. I will try to donate to BC once in awhile.
Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:09 PM

Posted 01 February 2005 - 12:32 PM

Hello again bartimus (I'll stick with this name unless you want to use exspider). Well, we've got a mess here. Our first order of business is to get an anti-virus installed and operating. To do that we need to remove a peper trojan and other various malware apps that will take weveral steps. Print these directions and then close all open windows (including this one). Follow each of the steps in order.

Step # 1

Before we run HijackThis we need to take care of a trojan named Peper which has infected your system. Please follow these steps to download and run a special repair tool:

There are two tools available. Please choose one of them and follow the instructions in order:

Tool 1 (requires an active internet connection to run):

1. Download Newuninst.exe.
2. Run it with an active internet connection.
3. Reboot to finish removing the entries it found.
4. Run the tool a second time (again with an active internet connection).
5. Reboot to finish removing the entries it found.

Tool 2 (does NOT require an internet connection to run):

1. Please Download PeperFix.exe,
2. Start the tool and click Find and Fix.
3. Reboot to finish removing what it found.
4. Run the tool a second time.
5. Reboot to finish removing the entries.

Step # 2

Run both of the following on-line virus scans:

Trend Micro Housecall and
BitDefender On-Line Virus Scan

Make sure that you choose "fix" or "clean".

Step #3

Please download and run the following adware scanning applications:

Spybot Search & Destroy and
AdAware SE Personal.

Then follow the instructions in the links below to make sure that you have the most current updates and the proper settings to run each one.

Spybot Tutorial
AdAware Tutorial

Step # 4

Next, let's clean up the temporary directories:
*Click Start
*Point to Programs
*Point to Accessories
*Point to System Tools
*Click Disk Cleanup.
*Select all items shown and click the OK button.

Step # 5

I do not see any anti-virus running on your computer. In today's internet world it is important to propect your computer against virus threats. Here are a couple of links to free anti-virus programs that we highly recommend. Choose one of them and follow that site's directions to download, install, update and perform a full scan.

Grisoft AVG Anti-Virus Free Edition and
Avast Anti-Virus Home Edition.

Step # 6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGITIMATE AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Exspider

Exspider
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 01 February 2005 - 08:09 PM

PeperFix.exe didn't find anything. I tried to get newuninst.exe and can't get the file at any of the sources I tried.
One thing I should have told you was, that I took in on my own before I contacted BC and manually removed 2 lines with HiJackThis. I restored those 2 lines to make sure I wasn't mucking something up. System still hasn't been rebooted and I’ll post a new log now.
I just scanned it with SpyBot & Adware & had 7 entries each, IST bleep & deleted it. Maybe I shouldn’t have restored the two lines after all.
What’s my next move?
Thanks for your patience & your help OT.
Here’s my current log:
Logfile of HijackThis v1.99.0
Scan saved at 7:00:17 PM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Bart\LOCALS~1\Temp\tmpC.tmp
C:\Program Files\ACD Systems\ACDSee\ACDSee.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Bartimus.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = d:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///c:/Bartimus.net/index.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [yvql] c:\windows\yvql.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [sfcfgn] C:\WINDOWS\sfcfgn.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ofwvaj] C:\WINDOWS\ofwvaj.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [MBFREcge.exe] C:\documents and settings\bart\local settings\temp\MBFREcge.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB001" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [8VNMHFPW.exe] C:\documents and settings\bart\local settings\temp\8VNMHFPW.exe
O4 - HKLM\..\Run: [3@Q#8P33557LX3] C:\WINDOWS\System32\Reyd5kLS.exe
O4 - HKLM\..\Run: [1c7T] C:\WINDOWS\wqxcx.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [163275f8d246] C:\WINDOWS\System32\authz282.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Ohq] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Enro] C:\Documents and Settings\Bart\Application Data\masr.exe
O4 - Startup: winupdate18260142[1].exe
O4 - Startup: winupdate24921484[1].exe
O4 - Startup: winupdate72987818[1].exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096499455562
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6662A3FB-C475-446F-89BD-7C2E529D01D8}: NameServer = 216.176.95.129,216.176.95.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{6662A3FB-C475-446F-89BD-7C2E529D01D8}: NameServer = 216.176.95.129,216.176.95.161
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (read only) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

#8 Exspider

Exspider
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 01 February 2005 - 09:11 PM

Still haven't rebooted. Ran HouseCall Got 7 returns on a TROJ REITREC.A & deleted.
Ran SpyBot & nothing found, ditto with AdAwareSE. Still have all startup items enabled. Afraid to reboot the thing.
Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:09 PM

Posted 03 February 2005 - 01:28 PM

Hi since you have a newish infection that a lot of people are not too intimate with yet, I was asked to help out here :thumbsup:

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = d:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O4 - HKLM\..\Run: [yvql] c:\windows\yvql.exe
O4 - HKLM\..\Run: [sfcfgn] C:\WINDOWS\sfcfgn.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ofwvaj] C:\WINDOWS\ofwvaj.exe
O4 - HKLM\..\Run: [MBFREcge.exe] C:\documents and settings\bart\local settings\temp\MBFREcge.exe
O4 - HKLM\..\Run: [8VNMHFPW.exe] C:\documents and settings\bart\local settings\temp\8VNMHFPW.exe
O4 - HKLM\..\Run: [3@Q#8P33557LX3] C:\WINDOWS\System32\Reyd5kLS.exe
O4 - HKLM\..\Run: [1c7T] C:\WINDOWS\wqxcx.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [163275f8d246] C:\WINDOWS\System32\authz282.exe
O4 - HKCU\..\Run: [Ohq] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Enro] C:\Documents and Settings\Bart\Application Data\masr.exe
O4 - Startup: winupdate18260142[1].exe
O4 - Startup: winupdate24921484[1].exe
O4 - Startup: winupdate72987818[1].exe


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\DSMANAGER.DLL
C:\WINDOWS\System32\DSMANAGER32.DLL (this or the one above will exist)
c:\windows\yvql.exe
C:\WINDOWS\sfcfgn.exe
c:\program files\180solutions\
C:\WINDOWS\ofwvaj.exe
C:\documents and settings\bart\local settings\temp\MBFREcge.exe
C:\documents and settings\bart\local settings\temp\8VNMHFPW.exe
C:\WINDOWS\System32\Reyd5kLS.exe
C:\WINDOWS\wqxcx.exe
c:\windows\180ax.exe
C:\WINDOWS\System32\authz282.exe
C:\PROGRAM FILES\Web Offer\
C:\Documents and Settings\Bart\Application Data\masr.exe
C:\Documents and Settings\Bart\Start Menu\Programs\Startup\winupdate18260142[1].exe
C:\Documents and Settings\Bart\Start Menu\Programs\Startup\winupdate24921484[1].exe
C:\Documents and Settings\Bart\Start Menu\Programs\Startup\winupdate72987818[1].exe

Reboot your computer to go back to normal mode and post a new log.

Also tell me if you have any of these files on your computer:

c:\windows\system32\klogini.dll
c:\windows\system32\p2.ini
c:\windows\system32\ps.a3d
c:\windows\system32\vdnt32.sys
c:\windows\system32\vdmt16.sys
c:\windows\system32\winlow.sys
c:\windows\system32\klo5.sys
c:\windows\system32\drct16.dll
c:\windows\system32\mszx23.exe

#10 Exspider

Exspider
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 03 February 2005 - 06:22 PM

Thanks for taking a look at this problem. IE keeps crashing when AVG finds a virus & I put them in the vault. The 2 AVG entries are the only ones I have selected for system startup. I can't boot to safe mode. It fails & system reboots. Ican still get XP to load.
IE is still crashing. get re-directed to horseServer.net, AVG picks it up and I get the old Send-Don't Send error message. I can barely keep this thing running long enough to post.
SpyBot found 2:Haxdoor-H & Wind Updates- Deleted & got system error as follows:
C:\windows\system32\klogini.dll not valid Windows image.
Deleted both
Ran Ad-ware- Found 3 malware- BlazeFind in registery- They deleted ok.
svchost.exe shows up 5 or 6 times in task manager.
I will submit a current HJT next.

Edited by Exspider, 03 February 2005 - 08:11 PM.

Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

#11 Exspider

Exspider
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 03 February 2005 - 08:27 PM

I'll enable all startup items for this log.
Logfile of HijackThis v1.99.0
Scan saved at 7:27:11 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ACD Systems\ACDSee\ACDSee.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Bartimus.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = d:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///c:/Bartimus.net/index.htm
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [yvql] c:\windows\yvql.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [sfcfgn] C:\WINDOWS\sfcfgn.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ofwvaj] C:\WINDOWS\ofwvaj.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [MBFREcge.exe] C:\documents and settings\bart\local settings\temp\MBFREcge.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB001" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [8VNMHFPW.exe] C:\documents and settings\bart\local settings\temp\8VNMHFPW.exe
O4 - HKLM\..\Run: [3@Q#8P33557LX3] C:\WINDOWS\System32\Reyd5kLS.exe
O4 - HKLM\..\Run: [1c7T] C:\WINDOWS\wqxcx.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [163275f8d246] C:\WINDOWS\System32\authz282.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Ohq] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Enro] C:\Documents and Settings\Bart\Application Data\masr.exe
O4 - Startup: winupdate18260142[1].exe
O4 - Startup: winupdate24921484[1].exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096499455562
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6662A3FB-C475-446F-89BD-7C2E529D01D8}: NameServer = 216.176.95.129,216.176.95.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{6662A3FB-C475-446F-89BD-7C2E529D01D8}: NameServer = 216.176.95.129,216.176.95.161
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (read only) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:09 PM

Posted 03 February 2005 - 08:40 PM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = d:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O4 - HKLM\..\Run: [yvql] c:\windows\yvql.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [sfcfgn] C:\WINDOWS\sfcfgn.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ofwvaj] C:\WINDOWS\ofwvaj.exe
O4 - HKLM\..\Run: [MBFREcge.exe] C:\documents and settings\bart\local settings\temp\MBFREcge.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [8VNMHFPW.exe] C:\documents and settings\bart\local settings\temp\8VNMHFPW.exe
O4 - HKLM\..\Run: [3@Q#8P33557LX3] C:\WINDOWS\System32\Reyd5kLS.exe
O4 - HKLM\..\Run: [1c7T] C:\WINDOWS\wqxcx.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [163275f8d246] C:\WINDOWS\System32\authz282.exe
O4 - HKCU\..\Run: [Ohq] C:\WINDOWS\System32\??plorer.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Enro] C:\Documents and Settings\Bart\Application Data\masr.exe
O4 - Startup: winupdate18260142[1].exe
O4 - Startup: winupdate24921484[1].exe


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\cerbmod.dll
C:\WINDOWS\System32\DSMANAGER.DLL
c:\windows\yvql.exe
c:\windows\system32\taskmgn.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\sfcfgn.exe
c:\program files\180solutions\
C:\WINDOWS\ofwvaj.exe
C:\documents and settings\bart\local settings\temp\MBFREcge.exe
C:\Program Files\ISTsvc\
C:\documents and settings\bart\local settings\temp\8VNMHFPW.exe
C:\WINDOWS\System32\Reyd5kLS.exe
C:\WINDOWS\wqxcx.exe
c:\windows\180ax.exe
C:\WINDOWS\System32\authz282.exe
C:\WINDOWS\System32\??plorer.exe
C:\PROGRAM FILES\Web Offer\
C:\Documents and Settings\Bart\Application Data\masr.exe
C:\documents and settings\bart\Start Menu\Programs\Startup\winupdate18260142[1].exe
C:\documents and settings\bart\Start Menu\Programs\Startup\winupdate24921484[1].exe

Reboot your computer to go back to normal mode and post a new log.


Then click on start, then run, and type cmd and press enter.

Type:

sc delete winsys

and press enter.

Then type:

sc delete VDMT16

and press enter.

Reboot into safe mode and make sure those files are still gone. Then delete these files if they exist:

c:\windows\system32\klogini.dll
c:\windows\system32\p2.ini
c:\windows\system32\ps.a3d
c:\windows\system32\vdnt32.sys
c:\windows\system32\vdmt16.sys
c:\windows\system32\winlow.sys
c:\windows\system32\klo5.sys
c:\windows\system32\drct16.dll
c:\windows\system32\mszx23.exe

Reboot and post a new log and tell me how these steps worked

#13 Exspider

Exspider
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 03 February 2005 - 08:58 PM

:thumbsup: I really fixed this one didn't I? Looks like another run away at the rodeo to me. Oh well, I think I learned something anyhow.
BC is a good thing & I will always give you a plug and a Hat Tip at bartimus.net.
Now if I can just get this stuff to run long enough to get 380gb of data backed up.........Probably backing up ISTsvc for all I know.
Viva La Bleeping Computers! French for, "Glad somebodies got it figured out".
Ye Ha! And welcome to the rodeo.
I still think we should boil them in oil. I don't have problems with rodeo clowns, but when they start to muck it up for all of us it does become an issue.
Thanks BC

Edited by Exspider, 04 February 2005 - 06:13 PM.

Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

#14 Exspider

Exspider
  • Topic Starter

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Location:In the middle
  • Local time:07:09 PM

Posted 03 February 2005 - 09:46 PM

I can't boot to safe mode for some reason, it blanks out & restarts system.
I booted back into XP with all startup items enabled. I then disabled all startup items to reboot again.
Why can't I get into safe mode? Do I need to un-install something I loaded recently like AVG?
Can I do these steps from XP?
My printer just ran out of black ink & WalMart is closed, but I changed the font color & printed it anyhow.
What a day!
If this thing keeps messing with me I'll hit it with Fdisk.
Any help will not be forgotten.
"My computer fell down & won't get back up!

Edited by Exspider, 03 February 2005 - 09:59 PM.

Your friends and the numbers all add up, we're just here to count them.......
Posted Image
Posted Image

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:09 PM

Posted 04 February 2005 - 05:22 PM

Not sure why you can enter safe mode... try fixing as much as you can in regular mode and reboot and see if you can get into safe mode after.

ALso links back to here are always appreciated :thumbsup: See my pinned post in the announcements forum for a link swap.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users