Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Topantispyware removal


  • Please log in to reply
17 replies to this topic

#1 dmcneir

dmcneir

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 11 May 2005 - 10:04 AM

I have been attempting removal without much success- have run spybot, ad aware, spyware blaster, avg in regular then safe mode and have not removed the desktop "overlay" from "top" yet. Here is the latest HJT log- can anyone tell me where I go next? Thanks!



Logfile of HijackThis v1.99.1
Scan saved at 9:11:34 AM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [ Internet] C:\WINDOWS\System32\ipxsdlin.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Microsoft AntiSpyware helper - {0905B057-EE31-4E46-A064-295B5783000D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0905B057-EE31-4E46-A064-295B5783000D} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0019.exe
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F3E7FE2-DD8E-4AEA-B63E-A15ADB849EAE}: NameServer = 206.141.192.60 206.141.193.55
O21 - SSODL: Media Remote - {4CFD4766-D842-4B79-857E-96482BF8E0F1} - C:\WINDOWS\System32\kbdrcupd.dll
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:52 PM

Posted 11 May 2005 - 11:46 PM

Hello dmcneir and welcome tothe BC forusm. before we get started on a fix I need some information on one of the files in your log. Please do the following.

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive and submit it for a scan:C:\WINDOWS\System32\kbdrcupd.dll
Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 dmcneir

dmcneir
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 12 May 2005 - 08:49 AM

Submitted file and results below:


: kbdrcupd.dll Status:
INFECTED/MALWARE
MD5 af75f9a1f043e833e6a2d7ac91a4dc43 Packers detected:
YODER
Scanner results
AntiVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found W32/PPdoor.M-bdr
Kaspersky Anti-Virus
Found Backdoor.Win32.PPdoor.v
mks_vir
Found Win32.4 (probable variant)
NOD32
Found nothing
Norman Virus Control
Found nothing
VBA32
Found nothing

Next step?

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:52 PM

Posted 12 May 2005 - 01:47 PM

Hi dmcneir. Thanks for the information. Ok, let's get started. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Download LSP-Fix to your desktop. Do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrsdfp\pwrsdp1.dll (file missing)
O4 - HKLM\..\Run: [ Internet] C:\WINDOWS\System32\ipxsdlin.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0905B057-EE31-4E46-A064-295B5783000D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0905B057-EE31-4E46-A064-295B5783000D} - (no file) (HKCU)
O21 - SSODL: Media Remote - {4CFD4766-D842-4B79-857E-96482BF8E0F1} - C:\WINDOWS\System32\kbdrcupd.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\PROGRAM FILES\POWER SEARCH\ <--folder
c:\Program Files\Fln\ <--folder
C:\WINDOWS\System32\ipxsdlin.exe
C:\WINDOWS\System32\kbdrcupd.dll
c:\windows\system32\flsmngr.dll

Now search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.osmim.dll
Step #5

Disconnect from the Internet and close all Internet Explorer Windows. Run LspFix.exe and click in the checkbox for I know what I'm doing. Click on each listing of flsmngr.dll and osmim.dll and then move it into the Remove section by clicking on the >> button that points to the right. When all instances of this dll are in the Remove section press the Finish button.

Now reboot to finish the fix.

Step #6

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #7

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean".

Step #8

AdAware SE

Download, install, update, configure and run a scan with Ad-aware SE:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 dmcneir

dmcneir
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 13 May 2005 - 02:30 PM

OK-

Performed steps 1-4 & did not find fiolder C:\PROGRAM FILES\POWER SEARCH\ but there was a pwrsdp1 with 0 bytes and a cache folder within (also empty) left it alone.

deleted the others: C:\WINDOWS\System32\ipxsdlin.exe
C:\WINDOWS\System32\kbdrcupd.dll

but acces was denied and I could not delete c:\windows\system32\flsmngr.dll

Step 5&6 ok

Step 7 - ran all 4 scans, e Trust found 11 and a second scan after delete found 7 that did not give an option to delete, fix or clean.

Step8 ran Adaware and deleted 14 entries and below are scan results and HJT log. How do they look?

Thanks again!

D

Logfile of HijackThis v1.99.1
Scan saved at 2:12:50 PM, on 5/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\HPConfig.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\lspfix\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0019.exe
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F3E7FE2-DD8E-4AEA-B63E-A15ADB849EAE}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

etrust results


C:\RECYCLER\S-1-5-21-2731309904-677485609-624486211-500\
A0046080.exe Win32.Startpage.OJ infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP569\
A0046106.exe Win32.Codalush infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP569\
A0046107.dll Win32.Codalush infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP569\
ast_5_main.exe Win32.SillyDl.JO infected C:\WINDOWS\
hosts VBS.Qhosts infected C:\WINDOWS\
flsmngr.dll Win32.Screefed.B infected C:\WINDOWS\system32\
ocngyaaa.exe Win32.Fisec.D infected C:\WINDOWS\system32\
srpcsrv32.dll Win32.DlExaw.M infected C:\WINDOWS\system32\
txfdb32.dll Win32.DlExaw.M infected C:\WINDOWS\system32\
wldr.dll Win32.Angourd.F infected C:\WINDOWS\system32\



Scan #2


Scan Results: 40779 files scanned. 7 viruses were detected.

File Infection Status Path
A0046207.exe Win32.DlExaw.M infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP570\
A0046208.exe Win32.SillyDl.JO infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP570\
A0046209.dll Win32.Screefed.B infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP570\
A0046210.exe Win32.Fisec.D infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP570\
A0046211.dll Win32.DlExaw.M infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP570\
A0046212.dll Win32.DlExaw.M infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP570\
A0046213.dll Win32.Angourd.F infected C:\System Volume Information\_restore{E144E665-8959-4686-AD12-B148C9C948E3}\RP570\


Panda scan results

Incident Status Location

Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
Adware:Adware/Findspy No disinfected C:\Documents and Settings\Owner\Favorites\ Free Hidden Cams World - Realtime.url
Adware:Adware/Findspy No disinfected C:\Documents and Settings\Owner\Favorites\ Free Spy Cam - Realtime.url
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Bpt\BPT.exe
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Common Files\Java\bpcv2_inst.exe
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Common Files\Java\bpt.cfg
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Common Files\Java\bptre.exe
Adware:Adware/FlashTrack No disinfected C:\Program Files\Common Files\Java\xclean.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/TopSpyware No disinfected C:\RECYCLER\S-1-5-21-2731309904-677485609-624486211-500\Dc2.html
Virus:Trj/Legmir.CO Disinfected C:\WINDOWS\ab1.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\flashtlk.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\LastGood\INF\payload2.inf
Adware:Adware/WebHancer No disinfected C:\WINDOWS\LastGood\whAgent.inf
Adware:Adware/WebHancer No disinfected C:\WINDOWS\LastGood\whInstaller.exe
Virus:Trj/Hatoy.A Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20031201-173255.backup
Virus:Trj/Hatoy.A Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20040205-095330.backup
Virus:Trj/Hatoy.A Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20040205-095331.backup
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osconfig.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\thun.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\vmss\vmss.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\system32\yquhrpne.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\vvegooc.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\yalwggr.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:52 PM

Posted 13 May 2005 - 08:59 PM

Hi dmcneir. Before we finish up let's verify that these are gone:

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\GatorPatch.log
C:\keys.ini
C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
C:\Documents and Settings\Owner\Favorites\ Free Hidden Cams World - Realtime.url
C:\Documents and Settings\Owner\Favorites\ Free Spy Cam - Realtime.url
C:\Program Files\Bpt\BPT.exe
C:\Program Files\Common Files\Java\bpcv2_inst.exe
C:\Program Files\Common Files\Java\bpt.cfg
C:\Program Files\Common Files\Java\bptre.exe
C:\Program Files\Common Files\Java\xclean.exe
C:\Program Files\Common Files\remove_tools.html
C:\RECYCLER\S-1-5-21-2731309904-677485609-624486211-500\Dc2.html
C:\WINDOWS\hosts
C:\WINDOWS\ast_5_main.exe
C:\WINDOWS\vvegooc.exe
C:\WINDOWS\yalwggr.exe
C:\WINDOWS\ab1.exe
C:\WINDOWS\inf\flashtlk.inf
C:\WINDOWS\LastGood\INF\payload2.inf
C:\WINDOWS\LastGood\whAgent.inf
C:\WINDOWS\LastGood\whInstaller.exe
C:\WINDOWS\system32\drivers\etc\hosts.20031201-173255.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040205-095330.backup
C:\WINDOWS\system32\drivers\etc\hosts.20040205-095331.backup
C:\WINDOWS\system32\drivers\etc\hosts.bho
C:\WINDOWS\system32\osconfig.dll
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\yquhrpne.exe
C:\WINDOWS\system32\flsmngr.dll
C:\WINDOWS\system32\ocngyaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\txfdb32.dll
C:\WINDOWS\system32\wldr.dll

Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.

If needed, start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
I cannot tell from the scan reports that they were deleted. It appears that they were flagged as infected but were not disinfected, quarantined or deleted.

If any of these are still present then delete them or let me know if you are prevented from deleting them.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 dmcneir

dmcneir
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 19 May 2005 - 08:02 AM

I'm back- was out of town for a few days and have now delted those files that were not before.

new HJT log- what do you think?

Logfile of HijackThis v1.99.1
Scan saved at 7:59:27 AM, on 5/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKCU\..\Run: [aavfgqh] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [mwuaddm] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [tsedwto] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [pksmiuu] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [lkcbnqc] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wiimbvt] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ydaeajj] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ghrlyea] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wagwrad] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [tymaoux] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ycyapim] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [xvvsyfd] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [vihlwsk] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [lmvqkod] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ewuqmts] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ekymojj] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [yaecbpg] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ilbeynl] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [fmmgnpi] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [fxoytja] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [btkarml] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wbgmstl] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ykascop] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [uestrei] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [kktwkwo] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ygageyx] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [vtxcahr] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wkqgosf] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wubdvax] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [vnvbfls] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [xbcwuwf] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [iqifddr] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [bqpnbvd] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [qxacccf] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ffkpbhy] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [iflcrmx] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [pnglpvv] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [haejycc] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [smkgjwo] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [qbukitq] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [hvtorei] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [trylsgb] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [tlaqqqe] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [qkdkdvw] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [euoymhi] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [lhyojml] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [cugujxg] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [puvihku] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ygqvhfq] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [bjagefc] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [vxxrsgm] c:\windows\ghjjvkq.exe
O4 - HKCU\..\Run: [luleiwc] c:\windows\ghjjvkq.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0019.exe
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F3E7FE2-DD8E-4AEA-B63E-A15ADB849EAE}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

#8 dmcneir

dmcneir
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 19 May 2005 - 11:09 AM

I should note that yalwggr was deleted in safe mode since 1st attempt was met with "access denied" error. Still appears to be present elsewhere?

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:52 PM

Posted 19 May 2005 - 11:29 AM

Hi dmcneir. It doesn't appear that those files are gone. Let's run a couple of other scans to see what they turn up.

Step #1

Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt back here in the next step and I will review it when it comes in.

Step #2

It appears that you have an L2M infection. Please do the following:
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing the Enter key.
This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log. Copy/paste the entire content of that log into this thread and I will review the information when it comes in.


OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 dmcneir

dmcneir
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 19 May 2005 - 05:22 PM

Here are the latest search logs- thanks again for your perseverence! Pfind log:

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder

C:\Program Files\HijackThis.exe: UPX!


Checking the C:\WINDOWS folder

C:\WINDOWS\ghjjvkq.exe: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\ihyaaaaa.exe: UPX!
C:\WINDOWS\SYSTEM32\pkykaxok.exe: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: =FSG!u$h
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Owner\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Owner\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Thu May 19 2005 4:31:56p A.S.. 2,048 2.00 K
qtfont.qfn Tue May 17 2005 7:45:46a A..H. 54,156 52.89 K

C:\WINDOWS\TASKS\
sa.dat Thu May 19 2005 4:23:20p A..H. 6 0.00 K

C:\WINDOWS\LASTGOOD\INF\
oem15.inf Fri May 13 2005 11:04:34a A..H. 0 0.00 K
oem15.pnf Fri May 13 2005 11:04:34a A..H. 0 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Thu May 19 2005 4:31:42p A..H. 8,192 8.00 K
sam.log Thu May 19 2005 4:32:28p A..H. 1,024 1.00 K
security.log Thu May 19 2005 4:31:58p A..H. 16,384 16.00 K
software.log Thu May 19 2005 4:33:16p A..H. 90,112 88.00 K
system.log Thu May 19 2005 4:32:38p A..H. 925,696 904.00 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
c83496~1 Wed May 11 2005 8:59:20a A.SH. 388 0.38 K
prefer~1 Wed May 11 2005 8:59:20a A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\CHGLNG77\
desktop.ini Thu May 5 2005 8:02:42a ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\KSV105R0\
desktop.ini Thu May 5 2005 8:02:44a ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\OFNXWAIH\
desktop.ini Thu May 5 2005 8:02:42a ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\PFTGTNON\
desktop.ini Thu May 5 2005 8:02:42a ..SH. 67 0.06 K

16 items found: 16 files, 0 directories.
Total of file sizes: 1,098,298 bytes 1.05 M


L2M fix log:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Q312461"=""
"PowerSearch 2.07"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{5E44E225-A408-11CF-B581-008029601108}"="Roxio DragToDisc Shell Extension"
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}"="My Media"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"="BitDefender Antivirus v7"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
haghkdf.dll Thu May 12 2005 3:46:54p A.... 569,979 556.62 K
mfc71.dll Fri May 13 2005 4:09:50p A.... 1,060,864 1.01 M
mfc71u.dll Fri May 13 2005 4:09:54p A.... 1,047,552 1023.00 K
msvcp71.dll Tue May 10 2005 2:00:16p A.... 499,712 488.00 K
msvcr71.dll Tue May 10 2005 2:00:16p A.... 348,160 340.00 K
xxmzzkyl.dll Fri May 6 2005 2:38:28p A.... 2,640 2.58 K
xxovvsdb.dll Thu May 12 2005 3:43:40p A.... 15,433 15.07 K

7 items found: 7 files, 0 directories.
Total of file sizes: 3,544,340 bytes 3.38 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is HPNOTEBOOK
Volume Serial Number is 84AE-1189

Directory of C:\WINDOWS\System32

11/22/2004 03:09 PM <DIR> dllcache
10/10/2002 05:22 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 7,182,471,168 bytes free

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:52 PM

Posted 19 May 2005 - 08:19 PM

Hi dmcneir. We've got some things to do here so let's get started. Please print these directions and then proceed with the following steps in order.

Step #1

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer.


Step #2

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
    • C:\WINDOWS\ghjjvkq.exe
      C:\WINDOWS\SYSTEM32\ihyaaaaa.exe
      C:\WINDOWS\SYSTEM32\pkykaxok.exe
      C:\WINDOWS\SYSTEM32\haghkdf.dll
      C:\WINDOWS\SYSTEM32\xxmzzkyl.dll
      C:\WINDOWS\SYSTEM32\xxovvsdb.dll
      c:\windows\yalwggr.exe
      c:\windows\ghjjvkq.exe
  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now. Reboot into Safe Mode by:

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O4 - HKCU\..\Run: [aavfgqh] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [mwuaddm] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [tsedwto] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [pksmiuu] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [lkcbnqc] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wiimbvt] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ydaeajj] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ghrlyea] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wagwrad] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [tymaoux] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ycyapim] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [xvvsyfd] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [vihlwsk] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [lmvqkod] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ewuqmts] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ekymojj] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [yaecbpg] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ilbeynl] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [fmmgnpi] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [fxoytja] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [btkarml] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wbgmstl] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ykascop] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [uestrei] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [kktwkwo] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ygageyx] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [vtxcahr] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wkqgosf] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [wubdvax] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [vnvbfls] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [xbcwuwf] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [iqifddr] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [bqpnbvd] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [qxacccf] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ffkpbhy] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [iflcrmx] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [pnglpvv] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [haejycc] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [smkgjwo] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [qbukitq] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [hvtorei] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [trylsgb] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [tlaqqqe] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [qkdkdvw] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [euoymhi] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [lhyojml] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [cugujxg] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [puvihku] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [ygqvhfq] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [bjagefc] c:\windows\yalwggr.exe
O4 - HKCU\..\Run: [vxxrsgm] c:\windows\ghjjvkq.exe
O4 - HKCU\..\Run: [luleiwc] c:\windows\ghjjvkq.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

Reboot your computer normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean".

Step #6

Start AdAware and do a Full System Scan.

Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 dmcneir

dmcneir
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 23 May 2005 - 12:07 PM

All steps completed- here is the latest log-

yalwggr replaced by others- are they multiplying?

Logfile of HijackThis v1.99.1
Scan saved at 12:01:12 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\HPConfig.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\WINDOWS\System32\paytime.exe
C:\windows\athfedj.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\program files\softwin\bitdefender free edition\bdnagent.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [thxdxmm] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [bupvfaq] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [qkuxwtb] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [rpcadwf] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [pwbpgyo] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [ejdvtcf] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [mmwsduk] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [gxycada] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [fiwpwij] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [vslumpn] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [rormmoq] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [xkitcuk] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [mheocny] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [rkomoyi] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [pwsgejf] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [dbmbkdm] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [snijpke] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [yocgaco] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [euxsbnx] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [ijrjfug] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [vhggcax] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [bwfmycu] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [nauofbh] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [jqfecxc] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [tttrsws] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [rilxfdp] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [vkinhhk] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [klqrjym] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [wfhnfps] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [nwwjyru] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [wwdjaca] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [cxoudef] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [skeowcl] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [ynroiwb] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [tdmqoxq] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [btrumqk] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [qxutrde] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [qcbhjob] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [mdsgdns] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [xiaupms] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [dmtipmg] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [xuuuvbp] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [iikwpxs] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [clviirv] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [ixmpepe] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [whfaavv] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [yjjdkms] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [ixcviec] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [ubqglae] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [mllgbfw] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [drcearl] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [vaypgkt] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [mucjggl] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [aktbpsi] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [scbmnvl] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [cjjygau] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [rqasknb] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [rjxbggy] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [kywnrkw] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [fbvlpuu] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [tsgkirq] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [emjqubo] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [amyiqht] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [najebgt] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [jcxjkoq] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [bhyxvya] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [wvsjeso] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [wxmsikf] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [atoklbx] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [cvddbpx] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [nigcfvh] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [fpdslhd] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [keypekw] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [wsnlrqa] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [upkphnn] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [ufooixt] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [baaclhl] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [fphqeup] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [pxuoxwf] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [xhjcdpq] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [luxuceu] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [iarvgfw] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [bdqpdeq] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [eyihqcn] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [trxcxfp] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [svhaqos] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [cdqetdj] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [vjkyvrh] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [cygjkup] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [giqxkfn] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [vvadbfg] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [nmslfrx] c:\windows\otqgvqi.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0019.exe
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {72336941-1DBF-3473-C4EB-0E8D54AEF6AC} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F3E7FE2-DD8E-4AEA-B63E-A15ADB849EAE}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:52 PM

Posted 23 May 2005 - 02:33 PM

Hi dmcneir. Yes, it appears to be a petri dish in there. Let's try this. Print these directions and then proceed with the folowing steps in order. Do not connect back up to the internet until the last step.

Step #1

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start ewido and click on the Scanner button. On the Scanner page click on My Computer and then click the Start button to begin the scan. Let it run to completion and fix anything that it finds.

Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [thxdxmm] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [bupvfaq] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [qkuxwtb] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [rpcadwf] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [pwbpgyo] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [ejdvtcf] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [mmwsduk] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [gxycada] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [fiwpwij] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [vslumpn] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [rormmoq] c:\windows\athfedj.exe
O4 - HKCU\..\Run: [xkitcuk] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [mheocny] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [rkomoyi] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [pwsgejf] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [dbmbkdm] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [snijpke] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [yocgaco] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [euxsbnx] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [ijrjfug] c:\windows\efcalbg.exe
O4 - HKCU\..\Run: [vhggcax] c:\windows\eprrxmg.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [bwfmycu] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [nauofbh] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [jqfecxc] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [tttrsws] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [rilxfdp] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [vkinhhk] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [klqrjym] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [wfhnfps] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [nwwjyru] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [wwdjaca] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [cxoudef] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [skeowcl] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [ynroiwb] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [tdmqoxq] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [btrumqk] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [qxutrde] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [qcbhjob] c:\windows\epxrjmx.exe
O4 - HKCU\..\Run: [mdsgdns] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [xiaupms] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [dmtipmg] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [xuuuvbp] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [iikwpxs] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [clviirv] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [ixmpepe] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [whfaavv] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [yjjdkms] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [ixcviec] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [ubqglae] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [mllgbfw] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [drcearl] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [vaypgkt] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [mucjggl] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [aktbpsi] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [scbmnvl] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [cjjygau] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [rqasknb] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [rjxbggy] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [kywnrkw] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [fbvlpuu] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [tsgkirq] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [emjqubo] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [amyiqht] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [najebgt] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [jcxjkoq] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [bhyxvya] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [wvsjeso] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [wxmsikf] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [atoklbx] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [cvddbpx] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [nigcfvh] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [fpdslhd] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [keypekw] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [wsnlrqa] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [upkphnn] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [ufooixt] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [baaclhl] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [fphqeup] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [pxuoxwf] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [xhjcdpq] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [luxuceu] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [iarvgfw] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [bdqpdeq] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [eyihqcn] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [trxcxfp] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [svhaqos] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [cdqetdj] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [vjkyvrh] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [cygjkup] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [giqxkfn] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [vvadbfg] c:\windows\otqgvqi.exe
O4 - HKCU\..\Run: [nmslfrx] c:\windows\otqgvqi.exe
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0019.exe
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 dmcneir

dmcneir
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 24 May 2005 - 11:44 AM

This looks better- what do you think?


Logfile of HijackThis v1.99.1
Scan saved at 11:29:00 AM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\HPConfig.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\qupzkbh4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\program files\softwin\bitdefender free edition\bdnagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {72336941-1DBF-3473-C4EB-0E8D54AEF6AC} - http://69.31.82.26/1/gdnUS10.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

#15 dmcneir

dmcneir
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 24 May 2005 - 11:59 AM

what about the 015 trusted IP ranges? Still dont have the desktop fixed either. I guess there's still work to do.

d




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users