Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser help


  • This topic is locked This topic is locked
4 replies to this topic

#1 mercedes85219

mercedes85219

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:44 AM

Posted 11 February 2005 - 06:57 PM

I tried using Hijack This, AVG, Spy Sweeper, and Adaware to remove this browser hijacker....I tried following the steps that were provided in one of these forum postings. To no avail. Here is a log from the most recent Hijack this:

Logfile of HijackThis v1.99.0
Scan saved at 4:50:39 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\locator.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator.DS\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [WKVTM\ZIQL]IQW[WR`UM^L] C:\WINDOWS\System32\gyxzptifnvhley.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Is there a way to kill this thing? I check the boxes to remove the evil ones, and rerun hijack this, and they pop right back up. Spy Sweeper comes up with an alert of:

WKVTM\ZIQL]IQW[WR'UM^L -- Assessment: unknown

When I click on more details it says:

Product name is not provided
Company name is not provided
Copyright information is not provided

Location: C:\WINDOWS\System32\gyxzptifnvhley.exe
Registry or Startup Folder; HKLM Run Services

I deleted that file. It no longer exists in the System32 folder. Yet, it continues to pop up?

Help!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 AM

Posted 12 February 2005 - 07:46 PM

Reboot, dont fix anything, let anything do what it wants to do. Then post a new log

#3 mercedes85219

mercedes85219
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:44 AM

Posted 16 February 2005 - 08:06 PM

Ok. Rebooted, let everything do what it was going to do and here is the log:


Logfile of HijackThis v1.99.0
Scan saved at 6:04:09 PM, on 2/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Documents and Settings\Administrator.DS\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [WKVTM\ZIQL]IQW[WR`UM^L] C:\WINDOWS\System32\gyxzptifnvhley.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 AM

Posted 16 February 2005 - 09:04 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 AM

Posted 16 February 2005 - 09:06 PM

You are currently using hijackthis from a temp directory. This can cause problems. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on.

For a tutorial on how to use HijackThis please see the following link:

Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

You have a Peper infection

Download the removal tool :

Peper Removal Tool

!!! Please run this twice with a reboot in between.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


O2 - BHO: TChkBHO Class - {683529BE-1325-4845-88A5-E92F3C5E8389} - D:\WINDOWS\system32\hwyicpmk.dll
O2 - BHO: kpylgbjmm Class - {9A27DD1D-3794-459E-BCCE-B2C768939C6C} - D:\WINDOWS\system32\moz030715s.dll
O2 - BHO: tbqwcjzfollrpdfjelzf - {c8bdc66c-562f-4a87-a217-e909d9859d80} - D:\DOCUME~1\awerm001\APPLIC~1\triefyllbrly.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - D:\Documents and Settings\awerm001\Local Settings\Temp\EqE.dll
O4 - HKLM\..\Run: [wdskctl] D:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [ANrAIFhjj] D:\windows\temp\ANrAIFhjj.exe
O4 - HKLM\..\Run: [2LW#WE84L88R8P] D:\WINDOWS\System32\QhqYq.exe
O4 - HKLM\..\Run: [7rZudTZCE] D:\documents and settings\awerm001\local settings\temp\7rZudTZCE.exe
O4 - HKLM\..\Run: [xhrmy] D:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [CSuy] D:\documents and settings\awerm001\local settings\temp\CSuy.exe
O4 - HKLM\..\Run: [UHCLTAv] D:\documents and settings\awerm001\local settings\temp\UHCLTAv.exe
O4 - Global Startup: CLEANXP.BAT

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


D:\WINDOWS\system32\hwyicpmk.dll
D:\WINDOWS\system32\moz030715s.dll
D:\Documents and Settings\awerm001\Local Settings\Temp\EqE.dll
D:\WINDOWS\wdskctl.exe
D:\windows\temp\ANrAIFhjj.exe
D:\WINDOWS\System32\QhqYq.exe
D:\documents and settings\awerm001\local settings\temp\7rZudTZCE.exe
D:\WINDOWS\Xhrmy.exe
D:\documents and settings\awerm001\local settings\temp\CSuy.exe
D:\documents and settings\awerm001\local settings\temp\UHCLTAv.exe

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users