Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IBIS.exe AdTools.exe


  • Please log in to reply
5 replies to this topic

#1 tbarley

tbarley

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 08 March 2005 - 06:31 PM

A friend of mine is having problems with Spyware/Adware. I have been successful in cleaning 117 entries; however there are two that seem to keep coming back. IBIS.exe and AdTools.exe I have run Spybot S&D and Aluria's Security Center and both can not eliminate the problem. Below is a copy of the HJT log. Any advice will be appreciated? OS being used is WinXP Home


Logfile of HijackThis v1.99.1
Scan saved at 1:35:03 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ykyukk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\rzivce.exe
C:\WINDOWS\system32\Ugalsr.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\y2k3lewm\y2k3lewm.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Paige\Application Data\eetu.exe
C:\WINDOWS\System32\w?wexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\windows\system32\packager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\LxrJD31s.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...ID=MY38ED24F06T
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CD2852D-7788-4B25-8EB2-70AFC14E6FDD} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {1426E6EC-C273-46DE-BDCC-AE8DE9CB7A09} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {2BD8BFB1-8C67-413D-AFAB-6148036E1DD1} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {30AB38DE-F9B9-4776-B2C0-51737F8488D3} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {3DC14C66-A194-45BD-9047-4165776C88ED} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {40DD47E4-FF38-452D-B5FB-1D32EDA6B92E} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {48F69427-1AFA-475F-838B-AFB3B13CE499} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {4D4FA74F-BBFA-415E-86F5-553134C7E480} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {4FF33638-F98B-F053-D69C-F50A7779A5EB} - C:\WINDOWS\System32\yckixanr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {57FBAF21-C8A6-4850-B239-0946CAD28093} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {5A74ABD3-6F39-41B7-914A-8D4AC39B84C8} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {5AFE84A3-DCF3-46DA-B591-FEBE10C695E5} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {5CA1EC00-BE60-4C25-BA22-37C1EFE5B51F} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {60379A21-1815-48EA-BE3B-B8E42EE4464E} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {61D550FD-9D65-429A-AE80-AE90B348D309} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {64042924-5F22-4994-940A-8BC1796A0F74} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {6900022B-BB18-4954-9F8E-07FEEB6EDA43} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {6984DE74-7C40-46DB-AB29-BFFCB72C8920} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {6B99F659-4779-4C28-A8E0-1CDC94054013} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {8216810D-6BFC-4541-B919-105894191CCB} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {867530B4-995F-4170-A465-2955A27D854B} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {8A741B52-FEA6-41CD-95B8-543106A99B2D} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {8F5924E6-F91E-4A5D-87E2-08CF0543D14A} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {97E65466-9887-4563-BA7A-1F6FB265E25B} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {9AEF9A17-03F9-496A-8731-0F0AA85389C5} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {A7CBE887-1605-404D-9054-629630102EF6} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {A7F4D997-0E6E-46AE-B805-CD55FB3B4937} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {A85492FD-92C7-4E80-A71A-E56769487244} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {AAB537BF-2AF3-4A80-9302-CE2BA5BD96D8} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {AF6DA8E0-59E3-4C40-BCE0-E5B8FE6A9C4C} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {AFE69707-F64F-43F7-BE50-04B8B13DCDAC} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {E18D1B8C-747E-4858-85D7-992A8764E3C2} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {EF1FEB16-8C09-42CF-8F3F-3AF4CE07ABD1} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {F679221A-56CC-4BA4-8388-2BFBC870471E} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rzivce] c:\windows\system32\rzivce.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Sqojcy.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Ugalsr.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [y2k3lewm] C:\Program Files\y2k3lewm\y2k3lewm.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [hwt2RXc8T] rzitl.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Paige\Application Data\eetu.exe
O4 - HKCU\..\Run: [Qzkd] C:\WINDOWS\System32\w?wexec.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...426/mcfscan.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O18 - Protocol: bw+0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {4CF8E06C-B6A9-4F77-A633-1EE6AD9AEC85} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 PM

Posted 09 March 2005 - 04:29 AM

Hi there,
Looks like you are dealing with qoologic too.. we'll find out later.

* Download and install CCleaner
Do not use it yet.

Download CWShredder.
Start CWShredder and click FIX

* Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {0CD2852D-7788-4B25-8EB2-70AFC14E6FDD} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {1426E6EC-C273-46DE-BDCC-AE8DE9CB7A09} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {2BD8BFB1-8C67-413D-AFAB-6148036E1DD1} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {30AB38DE-F9B9-4776-B2C0-51737F8488D3} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {3DC14C66-A194-45BD-9047-4165776C88ED} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {40DD47E4-FF38-452D-B5FB-1D32EDA6B92E} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {48F69427-1AFA-475F-838B-AFB3B13CE499} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {4D4FA74F-BBFA-415E-86F5-553134C7E480} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {4FF33638-F98B-F053-D69C-F50A7779A5EB} - C:\WINDOWS\System32\yckixanr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {57FBAF21-C8A6-4850-B239-0946CAD28093} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {5A74ABD3-6F39-41B7-914A-8D4AC39B84C8} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {5AFE84A3-DCF3-46DA-B591-FEBE10C695E5} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {5CA1EC00-BE60-4C25-BA22-37C1EFE5B51F} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {60379A21-1815-48EA-BE3B-B8E42EE4464E} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {61D550FD-9D65-429A-AE80-AE90B348D309} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {64042924-5F22-4994-940A-8BC1796A0F74} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {6900022B-BB18-4954-9F8E-07FEEB6EDA43} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {6984DE74-7C40-46DB-AB29-BFFCB72C8920} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {6B99F659-4779-4C28-A8E0-1CDC94054013} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {8216810D-6BFC-4541-B919-105894191CCB} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {867530B4-995F-4170-A465-2955A27D854B} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {8A741B52-FEA6-41CD-95B8-543106A99B2D} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {8F5924E6-F91E-4A5D-87E2-08CF0543D14A} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {97E65466-9887-4563-BA7A-1F6FB265E25B} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {9AEF9A17-03F9-496A-8731-0F0AA85389C5} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {A7CBE887-1605-404D-9054-629630102EF6} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {A7F4D997-0E6E-46AE-B805-CD55FB3B4937} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {A85492FD-92C7-4E80-A71A-E56769487244} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {AAB537BF-2AF3-4A80-9302-CE2BA5BD96D8} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {AF6DA8E0-59E3-4C40-BCE0-E5B8FE6A9C4C} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {AFE69707-F64F-43F7-BE50-04B8B13DCDAC} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {E18D1B8C-747E-4858-85D7-992A8764E3C2} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {EF1FEB16-8C09-42CF-8F3F-3AF4CE07ABD1} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {F679221A-56CC-4BA4-8388-2BFBC870471E} - C:\Program Files\y2k3lewm\y2k3lewm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [rzivce] c:\windows\system32\rzivce.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Sqojcy.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Ugalsr.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [y2k3lewm] C:\Program Files\y2k3lewm\y2k3lewm.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [hwt2RXc8T] rzitl.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Paige\Application Data\eetu.exe
O4 - HKCU\..\Run: [Qzkd] C:\WINDOWS\System32\w?wexec.exe
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
+ all the O18-lines


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\ykyukk.exe
C:\windows\system32\rzivce.exe
C:\WINDOWS\system32\Ugalsr.exe
C:\Program Files\Windows AdStatus <== this folder
C:\Program Files\y2k3lewm <== this folder
C:\Documents and Settings\Paige\Application Data\eetu.exe
C:\WINDOWS\System32\w?wexec.exe <== do NOT delete wowexec.exe which is 11kb and has the icon of a little computer!!
C:\Program Files\CxtPls <== this folder
C:\WINDOWS\wdskctl.exe
C:\WINDOWS\system32\Sqojcy.exe
C:\WINDOWS\farmmext.exe

* Start Ccleaner and click Run Cleaner

* Reboot your system back to normal mode

* Perform an online virusscan:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www3.ca.com/threatinfo/virusinfo/scan.aspx

Download Find Qoologic
Run Qoologic.bat and wait for the log to be generated. (this can take a while)

Post back a fresh HijackThis log+ the log that Qoologic.bat produces (C:\log.txt) and I'll take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 tbarley

tbarley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 14 March 2005 - 12:41 PM

Hi miekiemoes,

Thanks for all your help. Sorry for the delay getting back to you. My friend left town for a few days. I did all your suggestions, however, a few of them I could not do because I was not allowed to delete them. The problems I encoutered are listed below:

C:\WINDOWS\system32\ykyukk.exe THIS FILE WAS NOT FOUND, HOWEVER, THERE WAS A FILE YKYAKK.EXE I DID NOT DELETE IT AND THEY YKYUKK.EXE SEEMS TO STILL BE THERE

C:\windows\system32\rzivce.exe I COULD NOT DELETE THIS FILE BECASUE "ACCESS DENIED"

C:\Documents and Settings\Paige\Application Data\eetu.exe THIS FILE WAS NOT FOUND EITHER

C:\WINDOWS\System32\w?wexec.exe THIS FILE WAS NOT FOUND EITHER
C:\Program Files\CxtPls THIS FOLDER WAS NOT FOUND EITHER
C:\WINDOWS\wdskctl.exe THIS FILE WAS NOT FOUND EITHER

Here is the HJT log and I'll post the Qoologic log later this afternoon.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ykyukk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\windows\system32\rzivce.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\windows\system32\calc.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...ID=MY38ED24F06T
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [rzivce] c:\windows\system32\rzivce.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...426/mcfscan.cab
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Please advise!

Thanks again

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 PM

Posted 14 March 2005 - 01:03 PM

Hi Tbarley,

It is important that you follow this step too that was in my previous post:

Download Find Qoologic
Run Qoologic.bat and wait for the log to be generated. (this can take a while)


Post this log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 tbarley

tbarley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 14 March 2005 - 08:47 PM

Miekiemoes,

Here's the latest HJT and Qoologic logs. Let me know if there is anything else I need to do. I think the PC is running clean at this time. Please advise.

And thanks again for you help.

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 3:56:11 PM, on 3/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\windows\system32\rzivce.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ynygnn.exe
C:\windows\system32\calc.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...ID=MY38ED24F06T
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [rzivce] c:\windows\system32\rzivce.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\ykyukk.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: ynygnn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...426/mcfscan.cab
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

QOOLOGIC LOG

C:\Documents and Settings\Paige

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\gpgapp.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\gpgupp.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\pqpuqq.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\qvquvv.dat: .aspack
C:\WINDOWS\SYSTEM32\ykyukk.exe: .aspack

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ynygnn.exe: .aspack
Files Found in all users windows Folder............
------------------------
Finished

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 PM

Posted 15 March 2005 - 01:34 AM

Hello, no, not clean yet.

* Download and unzip Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINDOWS\SYSTEM32\gpgapp.dll
C:\WINDOWS\SYSTEM32\gpgupp.dll
C:\WINDOWS\SYSTEM32\pqpuqq.exe
C:\WINDOWS\SYSTEM32\qvquvv.dat
C:\WINDOWS\SYSTEM32\ykyukk.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ynygnn.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these 4 lines must be there together!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, clickYES

Your system must reboot now.

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [rzivce] c:\windows\system32\rzivce.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\ykyukk.exe
O4 - Global Startup: ynygnn.exe


* Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\windows\system32\rzivce.exe
C:\Program Files\Windows AdStatus <== this folder

* Reboot your system.

Post back a fresh HijackThis together with a new Qoologic log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users