Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - computerclueless


  • This topic is locked This topic is locked
58 replies to this topic

#1 computerclueless

computerclueless

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 18 May 2005 - 02:54 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:49:26 PM, on 5/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\inivrp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\w?auclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.neopets.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn31\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {0E555F55-EFE2-9A1B-BD6A-BFEEFDF0BD9C} - C:\WINNT\system32\fya.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn31\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [BEHKO] C:\WINNT\BEHKO.exe
O4 - HKLM\..\Run: [Jw7bv7QH] C:\documents and settings\victor\local settings\temp\Jw7bv7QH.exe
O4 - HKLM\..\Run: [1] C:\winnt\temp\1.exe
O4 - HKLM\..\Run: [4E#C69G5T4PNA2] C:\WINNT\system32\IpuFmd.exe
O4 - HKLM\..\Run: [ybcrgjkn] C:\WINNT\ybcrgjkn.exe
O4 - HKLM\..\Run: [exmb] C:\WINNT\exmb.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [uzyp] C:\WINNT\uzyp.exe
O4 - HKLM\..\Run: [knuzkv] C:\WINNT\knuzkv.exe
O4 - HKLM\..\Run: [ctibedkr] C:\WINNT\ctibedkr.exe
O4 - HKLM\..\Run: [shadun] C:\WINNT\shadun.exe
O4 - HKLM\..\Run: [dwd] C:\WINNT\dwd.exe
O4 - HKLM\..\Run: [sfqnixmv] C:\WINNT\sfqnixmv.exe
O4 - HKLM\..\Run: [jghudil] C:\WINNT\jghudil.exe
O4 - HKLM\..\Run: [vol] C:\WINNT\vol.exe
O4 - HKLM\..\Run: [rgl] C:\WINNT\rgl.exe
O4 - HKLM\..\Run: [BHKORBELP] C:\WINNT\BHKORBELP.exe
O4 - HKLM\..\Run: [DGJMQTWZ] C:\WINNT\DGJMQTWZ.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible
O4 - HKLM\..\Run: [C2X] C:\documents and settings\victor\local settings\temp\C2X.exe
O4 - HKLM\..\Run: [XAGfR0] C:\documents and settings\victor\local settings\temp\XAGfR0.exe
O4 - HKLM\..\Run: [mcndmgrm] C:\WINNT\system32\mcndmgrm.exe
O4 - HKLM\..\Run: [SysA] C:\winnt\system32\winuhb32.exe
O4 - HKLM\..\Run: [insockw] C:\WINNT\system32\insockw.exe
O4 - HKLM\..\Run: [htjbnj] C:\WINNT\txdesuf.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteaet32.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\inivrp.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINNT\SysCheckBop32
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O20 - Winlogon Notify: f3dsl - C:\WINNT\SYSTEM32\lsd_f3.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 18 May 2005 - 08:56 PM

Hi computerclueless,

Good job on getting your log posted. You've got quite a lot to take care care of, much more than just BMan. Give me some time and I will get you started. You should know, tho, that this will take some time and won't be an instant fix. That happens nowdays when you run your PC with no protection.

Be right back. :thumbsup:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 18 May 2005 - 09:38 PM

Yes, I know it won't be easy to fix but I'll do what I must to keep my computer safe.I'm just glad I'm finally getting some help!My computer was a total mess, beleive me! Thank you so much for all your help.
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 18 May 2005 - 11:36 PM

OK let's get you started downloading and do some cleanup of the easier stuff.

Download these programs but don't install them yet:

AVG Virus Scan
Ad-Aware
Spybot - Search & Destroy

Save all these files to your desktop.

Now boot your computer into Safe Mode

Install AVG and run a full system scan.

Reboot into normal mode and install Spybot - Search & Destroy. See the Spybot - S&D Tutorial for instructions on how to use this program. Be sure to update it and for now do not install TeaTimer.

Now install Ad-Aware. See the Ad-Aware Tutorial for instructions on how to configure and update AdAware.

Just install configure and update these program in normal mode because I want you to run both these programs in Safe Mode. You might want to print out these instructions and the tutorials or copy them to Notepad or another text editor/word processor.

When that is done, back in normal mode, run all three of these online scans.

eTrust Antivirus Web Scanner
Panda ActiveScan
BitDefender

Have them set to clean automatically and you should try to delete any files that these scanners are unable to clean. Post back any logs that are available from these online scanners.

Now scan again with HijackThis, make another log and post it back here.

Before you close HijackThis, click on the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 22 May 2005 - 08:50 PM

I have one question. When I went to the sites for the internet scanners, they said I had to download them. Is that normal and if I download will they take up a lot of space?
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 22 May 2005 - 09:06 PM

Yes it's nromal to have to download the ActiveX Controls so they can see what's bad on your system. Size is not too bad, escan is in the neighborhood of 400KB. Are you hurting for diskspace?

How has it gone with AVG and the other scanners I asked you to install?

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 25 May 2005 - 07:11 PM

Pretty well, it seems to have cleared most of the stuff up. Do you want me to post a log now or would you rather I post one after I use the online scanners?
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 25 May 2005 - 11:54 PM

Yes post another log. It's been a few days and I need to see shat's changed. I'll be surprised if the Qoologic is gone.

Also post the list from Add/Remove.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#9 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 29 May 2005 - 11:25 AM

I'm not sure what Add/Remove is but here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:21:53 PM, on 5/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\unuvrk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Victor\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.neopets.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn31\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {0E555F55-EFE2-9A1B-BD6A-BFEEFDF0BD9C} - C:\WINNT\system32\fya.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn31\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [BEHKO] C:\WINNT\BEHKO.exe
O4 - HKLM\..\Run: [Jw7bv7QH] C:\documents and settings\victor\local settings\temp\Jw7bv7QH.exe
O4 - HKLM\..\Run: [1] C:\winnt\temp\1.exe
O4 - HKLM\..\Run: [4E#C69G5T4PNA2] C:\WINNT\system32\IpuFmd.exe
O4 - HKLM\..\Run: [ybcrgjkn] C:\WINNT\ybcrgjkn.exe
O4 - HKLM\..\Run: [exmb] C:\WINNT\exmb.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [uzyp] C:\WINNT\uzyp.exe
O4 - HKLM\..\Run: [knuzkv] C:\WINNT\knuzkv.exe
O4 - HKLM\..\Run: [ctibedkr] C:\WINNT\ctibedkr.exe
O4 - HKLM\..\Run: [shadun] C:\WINNT\shadun.exe
O4 - HKLM\..\Run: [dwd] C:\WINNT\dwd.exe
O4 - HKLM\..\Run: [sfqnixmv] C:\WINNT\sfqnixmv.exe
O4 - HKLM\..\Run: [jghudil] C:\WINNT\jghudil.exe
O4 - HKLM\..\Run: [vol] C:\WINNT\vol.exe
O4 - HKLM\..\Run: [rgl] C:\WINNT\rgl.exe
O4 - HKLM\..\Run: [BHKORBELP] C:\WINNT\BHKORBELP.exe
O4 - HKLM\..\Run: [DGJMQTWZ] C:\WINNT\DGJMQTWZ.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible
O4 - HKLM\..\Run: [C2X] C:\documents and settings\victor\local settings\temp\C2X.exe
O4 - HKLM\..\Run: [XAGfR0] C:\documents and settings\victor\local settings\temp\XAGfR0.exe
O4 - HKLM\..\Run: [mcndmgrm] C:\WINNT\system32\mcndmgrm.exe
O4 - HKLM\..\Run: [SysA] C:\winnt\system32\winuhb32.exe
O4 - HKLM\..\Run: [insockw] C:\WINNT\system32\insockw.exe
O4 - HKLM\..\Run: [htjbnj] C:\WINNT\txdesuf.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINNT\SysCheckBop32
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unuvrk.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

and this is Uninstall Manager List:
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0
AOL Instant Messenger
a-squared Free 1.6
AVG Free Edition
DELL TrueMobile 1180 Wireless USB
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Internet Explorer Q822925
Macromedia Shockwave Player
Microsoft Office 2000 Professional
Mozilla Firefox (0.9.)
Outlook Express Update Q330994
PowerDVD
Recommended Hotfix - 421701D
Shockwave
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
Universal Media Player
Viewpoint Media Player
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB823980
WinZip
WordPerfect Office 2002 OEM
WordPerfect Office 2002 OEM
Yahoo! Address AutoComplete
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 30 May 2005 - 01:31 PM

Hi computerclueless

Well, not much has changed. I want you to know that you have some serious malware installed on your PC and we need to get you cleaned up ASAP. Here is an example of one of the most serious and there are many others besides:
http://www.sophos.com/virusinfo/analyses/trojgoldung.html

#  Steals credit card details
# Steals information
# Reduces system security
# Installs itself in the Registry

Fortunately, AVG has partially cleaned this particular malware, but you have several others that do similar things. Much of the malware out now is designed to steal information to facilitate identity theft and make the writers money in other ways. If you do any online banking, make any financial transactions with a credit card, etc., you are going to need to call your bank and report this. These types also steal passwords and keys to games and other programs you have purchased. But we need to get you cleaned up first, and that is going to take several reposts to accomplish.

I bring this up because it is taking you three or four days to reply and you seem to be trying some other things on your own. I don't mean to sound like a jerk, but you need to follow my instructions exactly and if you have any questions at all, please ask. Don't be embarassed, that is what we're here for. I'm probably the slowest HJT helper there is, so I can understand some delay. But if there is some other reason for the delay in your responses such as work schedule, family obligations, etc., let me know. I suggest you set aside some time to deal with this or give me an idea of what your schedule is like so I can know when we can work together.

You're also going to need to install a firewall to prevent this information from going out. But let's get you cleaned up first so you can concentrate on that then how to run a firewall. I know I'm hitting you with a lot all at once.

You also seem to be concerned about disk space and the size of what I may ask you to download. I'm guessing you are having issues with slowness and other problems. Most of that is being caused by all that malware you have had running for a while--once you get rid of it downloading and adding new programs shouldn't be a problem. But if you would, let me know how much space you have on your hard drive and how much RAM you have installed. To do this, click START, then right click My Computer and choose Properties. The General tab of the System Properties should pop up and toward the bottom will tell you how much RAM is installed and your CPU capacity. Now left click My Computer, right click your hard drive icon, and choose Properties. Let me know what the capacity is and how much free space you have left.

Also you should know that the online free scans do not download the whole program to your machine. The scanning engine stays on the website and just part of the program needs to be on your machine, so it's not like installing the AVG program and doesn't take up near as much space.

So here is what I need you to do. I'm going to cover as much as I can today. Please post back soon if you have any questions.

1. Somehow you've managed to run HijackThis without unzipping it and are now running WinZip. You didn't need WinZip to unzip HijackThis since you had already used the self-extracting file to unzip the program to your Program files. (This is why I say you should ask when you run into problems--however it is good you have it now because you will need it in the next step.) It is critical to run HijackThis only after it has been extracted/unzipped--otherwise the backups it makes will be lost. I'm thinking you are not very familiar with working with Windows Explorer and don't know how to get back to HijackThis.exe to run it, so let's make a shortcut to it. Before you do that, delete any copies of HijackThis.zip that you have downloaded. Only zipped copies of HijackThis--note the extension in bold at the end. Then do this:

1. Left click My Computer, right click your hard drive icon, and choose Explore. In the left hand column (Folder Tree), double click Program Files, then the HijackThis folder.
2. In the main pane to the right, right click HijackThis.exe.
3. Select "Create Shortcut". An icon with an arrow in a box should now appear in the HJT folder's main pane.
4. Right click the shortcut icon.
5. Select "Send To">Desktop.

Run HijackThis from this shortcut from now on.

2. I need to take a closer look at it the file BEHKO.exe . Please create a folder called c:\computerclueless. (Open Windows Explorer by right clicking your hard drive's icon as instructed before, then right click an open area in the main pane, choose New>Folder and name it computerclueless. Any time you are asked to create a folder in C:\something, use this method) Now copy the following file into that directory:

BEHKO.exe

To copy the file simply navigate to the C:\WINNT\ directory (folder) right click on BEHKO.exe, and then click on Copy. Now go back to the c:\computerclueless folder and right click the folder and select Paste.

Once the file is copied, please zip the folder. To do this right-click on the folder and click on the Send To option and then choose Compressed folder. You will now see a file called computerclueless.zip. You may not have this right click option since you are running Windows 2000, but since you have Winzip installed, there should be a right click option such as "Add to <foldername />" or similar that will do the same thing.

When the files are zipped, go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to the computerclueless.zip folder and click on the Send File button.

3. Now print out the following instructions or copy and paste them to a Text editor such as Notepad or Word as you will not have access to the internet at times during the procedure.

4. You have a Peper infection. This needs to be taken care of first.

Download this removal tool and save it to your desktop: PeperFix

Now reboot your computer into Safe Mode <--link to tutorial on how to get to safe mode.

Double click PeperFix.exe to run it then reboot back into Safe Mode to run it again.

Keep doing this--rebooting after PeperFix has completed its run, until you get a message in blue text that no files were found. Then reboot back into normal mode.

5. Scan again with HijackThis.exe. Put a checkmark by the following entries, double-checking to be sure that only these entries are checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll
O2 - BHO: (no name) - {0E555F55-EFE2-9A1B-BD6A-BFEEFDF0BD9C} - C:\WINNT\system32\fya.dll (file missing)
O4 - HKLM\..\Run: [BEHKO] C:\WINNT\BEHKO.exe
O4 - HKLM\..\Run: [Jw7bv7QH] C:\documents and settings\victor\local settings\temp\Jw7bv7QH.exe
O4 - HKLM\..\Run: [1] C:\winnt\temp\1.exe
O4 - HKLM\..\Run: [4E#C69G5T4PNA2] C:\WINNT\system32\IpuFmd.exe
O4 - HKLM\..\Run: [ybcrgjkn] C:\WINNT\ybcrgjkn.exe
O4 - HKLM\..\Run: [exmb] C:\WINNT\exmb.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\system32\idctup20.exe
O4 - HKLM\..\Run: [uzyp] C:\WINNT\uzyp.exe
O4 - HKLM\..\Run: [knuzkv] C:\WINNT\knuzkv.exe
O4 - HKLM\..\Run: [ctibedkr] C:\WINNT\ctibedkr.exe
O4 - HKLM\..\Run: [shadun] C:\WINNT\shadun.exe
O4 - HKLM\..\Run: [dwd] C:\WINNT\dwd.exe
O4 - HKLM\..\Run: [sfqnixmv] C:\WINNT\sfqnixmv.exe
O4 - HKLM\..\Run: [jghudil] C:\WINNT\jghudil.exe
O4 - HKLM\..\Run: [vol] C:\WINNT\vol.exe
O4 - HKLM\..\Run: [rgl] C:\WINNT\rgl.exe
O4 - HKLM\..\Run: [BHKORBELP] C:\WINNT\BHKORBELP.exe
O4 - HKLM\..\Run: [DGJMQTWZ] C:\WINNT\DGJMQTWZ.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [C2X] C:\documents and settings\victor\local settings\temp\C2X.exe
O4 - HKLM\..\Run: [XAGfR0] C:\documents and settings\victor\local settings\temp\XAGfR0.exe
O4 - HKLM\..\Run: [mcndmgrm] C:\WINNT\system32\mcndmgrm.exe
O4 - HKLM\..\Run: [SysA] C:\winnt\system32\winuhb32.exe
O4 - HKLM\..\Run: [insockw] C:\WINNT\system32\insockw.exe
O4 - HKLM\..\Run: [htjbnj] C:\WINNT\txdesuf.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINNT\SysCheckBop32
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\unuvrk.exe reg_run
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)


Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

6. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

7. Reboot your computer into Safe Mode.

8. Open your Add or Remove programs applet from your Control Panel and uninstall:

Recommended Hotfix - 421701D

9. Using My Computer/Windows Explorer navigate to and delete the following files and folders in bold--do not be concerned if they do not exist:

C:\WINNT\BEHKO.exe
C:\WINNT\cfgmgr52.dll
C:\WINNT\system32\fya.dll
C:\winnt\temp\1.exe
C:\WINNT\system32\IpuFmd.exe
C:\WINNT\ybcrgjkn.exe
C:\WINNT\exmb.exe
C:\WINNT\system32\idctup20.exe
C:\WINNT\uzyp.exe
C:\WINNT\knuzkv.exe
C:\WINNT\ctibedkr.exe
C:\WINNT\shadun.exe
C:\WINNT\dwd.exe
C:\WINNT\sfqnixmv.exe
C:\WINNT\jghudil.exe
C:\WINNT\vol.exe
C:\WINNT\rgl.exe
C:\WINNT\BHKORBELP.exe
C:\WINNT\DGJMQTWZ.exe
C:\WINNT\system32\automove.exe
c:\installer\id53.exe
C:\WINNT\system32\mcndmgrm.exe
C:\winnt\system32\winuhb32.exe
C:\WINNT\system32\insockw.exe
C:\WINNT\txdesuf.exe
C:\WINNT\satmat.exe
AUNPS2.DLL <--do a search for this file, but it is probably in the System32 folder
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINNT\SysCheckBop32
C:\WINNT\cfgmgr52.dll,DllRun
C:\WINNT\system32\[b]unuvrk.exe reg_run


10. This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

11. Now boot back to normal mode, go back online and do both of these online scans--the sooner you do them the sooner they will be completed:

eTrust Antivirus Web Scanner
Panda ActiveScan

12. Scan again with HijackThis and save a log to post in your next reply.

13. I need you to run the following programs and post the resulting logs when you are finished. In other words, I need 3 reports posted at once when all is finished.

1. Download FindQoologic-Narrator.zip amd save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic, preferably to your desktop

Open the FindQoologic folder.

Locate and double-click the Find-Qoologic.bat file to run it.

When a text opens, post it in a reply to your thread.

2. Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip

Create a new folder called c:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into this new RKFiles folder.

Then,

1. Reboot into Safe Mode

2. Open the C:\Antispyware\RKFiles folder

* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finaly finished a text file will open.
* Save the contents of that text file.

Note: It should save by default to C:\Log.txt
* Find this log, right-click and rename it RKFiles_log.txt so you can post it later.

3. Reboot back to Normal Mode.
*************

14. Post both logs as well as a new hijackthis log. If you run into any problems at all, either post back here with a question or skip it and move on. Just let me know what happens as these steps must be done in order and I need to know what is and isn't done.

There will be more to do once these steps are complete. Hang in there with me and I'll hang in there with you.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#11 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 30 May 2005 - 05:09 PM

You said to find a file ib C:\WINNT\ called BEHKo.exe but I looked and it's not there. Am I looking in the wrong place or is it in another folder in WINNT?
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 30 May 2005 - 05:35 PM

Sorry about that, you should go ahead and unhide your files and folders now instead of later. And substitute this link for instructions on how to do that--I was thinking for a while you were running XP instead of 2000:
How to see hidden files in Windows

If you can't find it to submit it then don't worry about it. Just continue with the rest of the instructions.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#13 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 30 May 2005 - 05:44 PM

When I right-clic C:\computerclueless and go to send to there is no thing that sats Compress Folder. Would I use the "Add to Zip file" or "Add to computerclueless.zip" option instead?

Edited by computerclueless, 30 May 2005 - 05:56 PM.

"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 30 May 2005 - 11:54 PM

Sorry CC, I missed email notice of your question. I'm not all that familiar with Winzip, but I believe you should try "Add to computerclueless.zip". If you have a problem submiting the file you may not have done it right. Let me know. But again, don't worry too much about the file sumission. If you have too many problems with it, just continue on with the next steps.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#15 computerclueless

computerclueless
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 31 May 2005 - 03:01 PM

well, I had trouble figuring out so I skipped it and went and did the Peper scan. Strange thing though. It said I didn't have any files of it. And yes, I did run it in Safe Mode. Are there any special options I had to select?
"I'm computer clueless. I seriously am. So clueless, in fact, when I first got my computer, I couldn't figure out how to turn it off for an hour. I mean, come on, how is someone like me going to look for the button to turn off the computer on the Start Menu?" - Personal Quote




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users