Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
1 reply to this topic

#1 Silverxwillow


  • Members
  • 6 posts
  • Local time:01:54 PM

Posted 28 March 2005 - 06:27 PM

I'm having seriously bad amounts of pop ups and programs called BullsEye and Virtual Bouncer keep downloading themselves onto my computer and making it EXTREMELY slow.

Logfile of HijackThis v1.99.1
Scan saved at 5:34:04 PM, on 3/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirect...&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - c:\Program Files\Flen\flen.dll
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [jrehlwwy] c:\windows\system32\jrehlwwy.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [wutv] C:\WINDOWS\System32\ttshr\wutv.exe
O4 - HKLM\..\Run: [mtjo] C:\WINDOWS\System32\qropitq\mtjo.exe
O4 - HKLM\..\Run: [fcubuxk] C:\WINDOWS\System32\eorcn\fcubuxk.exe
O4 - HKLM\..\Run: [bprp] C:\WINDOWS\System32\tvqph\bprp.exe
O4 - HKLM\..\Run: [tcfrllg] C:\WINDOWS\System32\pjyie\tcfrllg.exe
O4 - HKLM\..\Run: [smrhrrry] C:\WINDOWS\System32\rvks\smrhrrry.exe
O4 - HKLM\..\Run: [ylupg] C:\WINDOWS\System32\frwgiq\ylupg.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitefjd32.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\ovnhfvjt.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] C:\DOCUME~1\Linda\LOCALS~1\Temp\27.exe\27.exe
O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe"
O4 - HKLM\..\Run: [dgtth] C:\WINDOWS\System32\idiqkjy\dgtth.exe
O4 - HKLM\..\Run: [wddnbp] C:\WINDOWS\System32\reghdg\wddnbp.exe
O4 - HKLM\..\Run: [osmh] C:\WINDOWS\System32\erqweyjd\osmh.exe
O4 - HKLM\..\Run: [skyhn] C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\hqytods.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [ubonvqg] C:\WINDOWS\System32\yocj\ubonvqg.exe
O4 - HKLM\..\Run: [pmxqwtnx] C:\WINDOWS\System32\vqkxrxcf\pmxqwtnx.exe
O4 - HKLM\..\Run: [fwmbsff] C:\WINDOWS\System32\dcpupm\fwmbsff.exe
O4 - HKLM\..\Run: [hqmpgkdw] C:\WINDOWS\System32\rvjlbwqo\hqmpgkdw.exe
O4 - HKLM\..\Run: [whynmp] C:\WINDOWS\System32\nhsdc\whynmp.exe
O4 - HKLM\..\Run: [hlag] C:\WINDOWS\System32\mqhw\hlag.exe
O4 - HKLM\..\Run: [wrbnrrs] C:\WINDOWS\System32\uxwot\wrbnrrs.exe
O4 - HKLM\..\Run: [vxakrn] C:\WINDOWS\System32\xhck\vxakrn.exe
O4 - HKLM\..\Run: [cfcg] C:\WINDOWS\System32\pxyakk\cfcg.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [5F6h3qh] ersfd.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [lbdijym] C:\WINDOWS\System32\gpabohv\lbdijym.exe
O4 - HKLM\..\Run: [egsh] C:\WINDOWS\System32\xmoukx\egsh.exe
O4 - HKLM\..\Run: [qbncv] C:\WINDOWS\System32\chryibl\qbncv.exe
O4 - HKLM\..\Run: [ybfjo] C:\WINDOWS\System32\umube\ybfjo.exe
O4 - HKLM\..\Run: [ctbkdcw] C:\WINDOWS\System32\yfiuepm\ctbkdcw.exe
O4 - HKLM\..\Run: [ujwbstd] C:\WINDOWS\System32\idfnkyw\ujwbstd.exe
O4 - HKLM\..\Run: [ccpask] C:\WINDOWS\System32\qkkhogda\ccpask.exe
O4 - HKLM\..\Run: [mwwhslc] C:\WINDOWS\System32\dmqi\mwwhslc.exe
O4 - HKLM\..\Run: [uuqwyr] C:\WINDOWS\System32\gkqwp\uuqwyr.exe
O4 - HKLM\..\Run: [sfcsm] C:\WINDOWS\System32\pjafi\sfcsm.exe
O4 - HKLM\..\Run: [wfkcxl] C:\WINDOWS\System32\aimba\wfkcxl.exe
O4 - HKLM\..\Run: [akocryk] C:\WINDOWS\System32\mdrdiqny\akocryk.exe
O4 - HKLM\..\Run: [jmfiyjyj] C:\WINDOWS\System32\gmyfolof\jmfiyjyj.exe
O4 - HKLM\..\Run: [arehcpmt] C:\WINDOWS\arehcpmt.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [KopnRkN4X] cremf11n.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: fcubuxkeorcn - Unknown owner - C:\WINDOWS\System32\eorcn\fcubuxk.exe
O23 - Service: hlagmqhw - Unknown owner - C:\WINDOWS\System32\mqhw\hlag.exe
O23 - Service: jmfiyjyjgmyfolof - Unknown owner - C:\WINDOWS\System32\gmyfolof\jmfiyjyj.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: osmherqweyjd - Unknown owner - C:\WINDOWS\System32\erqweyjd\osmh.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: smrhrrryrvks - Unknown owner - C:\WINDOWS\System32\rvks\smrhrrry.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wddnbpreghdg - Unknown owner - C:\WINDOWS\System32\reghdg\wddnbp.exe
O23 - Service: whynmpnhsdc - Unknown owner - C:\WINDOWS\System32\nhsdc\whynmp.exe

BC AdBot (Login to Remove)



#2 rstones12


    Malware Expert

  • Members
  • 227 posts
  • Location:Tempe, Arizona
  • Local time:11:54 AM

Posted 29 March 2005 - 12:31 AM


Welcome to the Bleeping Computer Forums
I will be reviewing your HJT log.
We need to address a few issues first.

Your Windows OS is out of date.

An unprotected, unpatched Windows XP installation will get infected within minutes of connecting to the Internet.

You can download update SP1A

Once you have done this here are some preliminary directions:

We are going to need to remove a few things, but first I would like you do to the following: The reason I am asking for these first initial steps is that it can clear up some items in the first part of the fix if needed.

I have outlined some preliminary steps that we need to address. You may want to print out these intructions for reference. This process will take a few steps so please be patient and follow the provided directions.

First Download CWShredder
And save it to your desktop.
Close all open browser windows and any other open windows.

Install CWShredder, then:

Open CWS and click Check for Updates
Then click "FIX"

Please run at least one of these online scans, allow it to delete anything it finds:
You may have to select the auto-fix option prior to scanning, it should be a selection box on the screen. If you are a dial-up user just do one, this can take some time.
If you are a broadband user, I would suggest at least 2 of the 3. One extra scan is most often times enough.TrendMicro HouseCall
Panda ActiveScan
eTrust AntiVirus Web Scanner
Please make a note of anything that wasn't or couldn't be fixed.
Reboot your machine when finished.

You may have run these programs already, make sure they are up to date and run per provided instructions.
Current Versions are:
Spybot S&D Ver: 1.3 Download Here
Ad-Aware SE Build 1.05 Download Here

Download and install both Spybot S&D and Ad-Aware SE.


Spybot S&D:
Go to your Start Menu >> Programs >> Spybot S&D >> then choose Spybot S&D.

*Close ALL windows except Spybot S&D
*Click the button to "Search for Updates" and download and install the Updates.
*Close Spybot then launch it again
*Click the button "Check for Problems"
*When Spybot is done scanning, it will be showing "RED" (RED) entries, "BLACK" entries and "GREEN" (GREEN) entries in the window
*Put a check mark beside the RED (RED) entries ONLY.
*Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Go to your Start Menu >> Programs >> Lavasoft Ad-Aware SE >> then choose Ad-Aware SE Personal.

When the main window opens look in the bottom right corner and click on Check For Updates Now then click Connect and download the latest reference files.

From main window:
*Click Start then under Select a scan Mode check Perform Full System Scan.
*Next deselect Search for negligible risk entries.
*To scan just click the Next button.

When the scan has finished mark everything for removal and get rid of it.
(Right-click the window and choose select all from the drop down menu and click Next)
The program will ask if you want to fix/delete selected items, choose yes/fix.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Update your current Virus Scan Definitions:

Reboot into Safe Mode and Scan with Spybot S&D and Ad-Aware SE
Then Scan with your Anti-Virus Program

Delete your temp files:

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty Your Recycle Bin.

Reboot normally and post a new HJT log by using Add Reply:

"Security is a Process not a Product"

Posted Image Version 3.6
Help here is always free, but if you want to donate to help me continue my fight against malware -- Click Here

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users