Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Logfile


  • Please log in to reply
16 replies to this topic

#1 .Prodigy.

.Prodigy.

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:03:27 AM

Posted 31 July 2005 - 07:32 PM

ok, my dad's girlfriend just gave me her computer to look at because she's been having problems. i don't even know how she dealt with it before. i started it up, and the first thing i noticed was how slow it was. she runs a winXP home edition SP1 on a dell, and it was running like a 10-year old windows 95; extremely slow. I had fixed her computer before, so hijackthis was already on the comp, so i tried opening it.......
nothing happened, i tried again and waited another 5 minutes then decided to start it in safe mode. i did that, and hijackthis opened no prob, so i took the logfile and took it to my comp, and here it is...

i'm sure there's multiple problems with this comp, so whoever helps me, be prepared for the worst :thumbsup:

------ HJT log start

Logfile of HijackThis v1.99.1
Scan saved at 1:25:57 AM, on 7/31/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\rvtlh\lqqpp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\pdjgkvcp\xiyhwqir.exe
C:\WINDOWS\System32\woqlvw\heykqn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\gqclmbc\wmuvcda.exe
C:\WINDOWS\System32\nfbtubx\uasqecy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\secure.exe
C:\windows\system32\saie.exe
C:\WINDOWS\System32\rabhsnl\rcinjof.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\??rvices.exe
C:\WINDOWS\System32\sudydbs\qirgtmd.exe
C:\WINDOWS\System32\uxpdhpx\pokqddb.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ewjhygu\oxjtpab.exe
C:\WINDOWS\System32\stolwaf\npstoqm.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\acdxnqr\jwufvuk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\yynbhls\ysoymbq.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ubnkpay\gtdstbv.exe
C:\WINDOWS\System32\xejbvpb\exusgwa.exe
C:\WINDOWS\System32\msarsvp\dvxjoej.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\bpjrmix\cvxurwv.exe
C:\WINDOWS\System32\byrpjog\curpien.exe
C:\WINDOWS\System32\uxpdhpx\butuexg.exe
C:\WINDOWS\System32\bcfolru\bkwuasd.exe
C:\WINDOWS\System32\ykinj\arltp.exe
C:\WINDOWS\System32\qddebgoa\krbo.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\eudaemon.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\alpodlbq\aldj.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\kampua.exe
C:\WINDOWS\system\dqfrag.exe
C:\WINDOWS\system\abhlc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\windows\system32\lkwgtps.exe
C:\Documents and Settings\kathy\Application Data\eetu.exe
C:\WINDOWS\System32\drpres.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\kathy\Desktop\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\51242e062b4e8600968057f111cf9b54\update\update.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {C33BCD22-7CBD-0530-EBFA-24C0CD9309B1} - C:\WINDOWS\System32\wcbnwo.dll
O2 - BHO: (no name) - {C33BCD2C-7CBD-7446-EB81-22C0C6E409CC} - C:\WINDOWS\System32\wcbnwo.dll
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - C:\WINDOWS\system32\n.dll
O2 - BHO: (no name) - {E0B91701-A3CD-A839-9C00-AAC816FF2A9A} - C:\WINDOWS\System32\yze.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [lqqpp] C:\WINDOWS\System32\rvtlh\lqqpp.exe
O4 - HKLM\..\Run: [aldj] C:\WINDOWS\System32\alpodlbq\aldj.exe
O4 - HKLM\..\Run: [yxrvf] C:\WINDOWS\System32\cwnseut\yxrvf.exe
O4 - HKLM\..\Run: [ywkakf] C:\WINDOWS\System32\cdqmellj\ywkakf.exe
O4 - HKLM\..\Run: [yvyo] C:\WINDOWS\System32\mwwcwxn\yvyo.exe
O4 - HKLM\..\Run: [ytwv] C:\WINDOWS\System32\efawmel\ytwv.exe
O4 - HKLM\..\Run: [ytldn] C:\WINDOWS\System32\eeudhu\ytldn.exe
O4 - HKLM\..\Run: [ysoymbq] C:\WINDOWS\System32\yynbhls\ysoymbq.exe
O4 - HKLM\..\Run: [yppbhmbg] C:\WINDOWS\System32\fdeh\yppbhmbg.exe
O4 - HKLM\..\Run: [yoglcln] C:\WINDOWS\System32\dqcltqde\yoglcln.exe
O4 - HKLM\..\Run: [ynhfchwb] C:\WINDOWS\System32\dsrpr\ynhfchwb.exe
O4 - HKLM\..\Run: [ymsxonk] C:\WINDOWS\System32\kgsq\ymsxonk.exe
O4 - HKLM\..\Run: [yhhtrdjx] C:\WINDOWS\System32\oxbkock\yhhtrdjx.exe
O4 - HKLM\..\Run: [xpanyu] C:\WINDOWS\System32\eitrd\xpanyu.exe
O4 - HKLM\..\Run: [xnoityaq] C:\WINDOWS\System32\lhtq\xnoityaq.exe
O4 - HKLM\..\Run: [xiyhwqir] C:\WINDOWS\System32\pdjgkvcp\xiyhwqir.exe
O4 - HKLM\..\Run: [xhqfpp] C:\WINDOWS\System32\xhlcl\xhqfpp.exe
O4 - HKLM\..\Run: [xhaiaswx] C:\WINDOWS\System32\tlvnhesg\xhaiaswx.exe
O4 - HKLM\..\Run: [xgfav] C:\WINDOWS\System32\yotsrds\xgfav.exe
O4 - HKLM\..\Run: [xcvmytj] C:\WINDOWS\System32\kosvg\xcvmytj.exe
O4 - HKLM\..\Run: [xamfuv] C:\WINDOWS\System32\eohqrht\xamfuv.exe
O4 - HKLM\..\Run: [wxhe] C:\WINDOWS\System32\yolecgpv\wxhe.exe
O4 - HKLM\..\Run: [wxedyd] C:\WINDOWS\wxedyd.exe
O4 - HKLM\..\Run: [wqjn] C:\WINDOWS\System32\qupmxrm\wqjn.exe
O4 - HKLM\..\Run: [wmuvcda] C:\WINDOWS\System32\gqclmbc\wmuvcda.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [wcwegtb] C:\WINDOWS\System32\ynvhu\wcwegtb.exe
O4 - HKLM\..\Run: [vylqc] C:\WINDOWS\System32\drcw\vylqc.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\dealhelper.exe
O4 - HKLM\..\Run: [vbuvl] C:\WINDOWS\System32\cktopb\vbuvl.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [uxagla] C:\WINDOWS\System32\ylbuqw\uxagla.exe
O4 - HKLM\..\Run: [uwjsxit] C:\WINDOWS\System32\vnjmnrko\uwjsxit.exe
O4 - HKLM\..\Run: [urvb] C:\WINDOWS\System32\lnyyh\urvb.exe
O4 - HKLM\..\Run: [uqupb] C:\WINDOWS\System32\tyatqsy\uqupb.exe
O4 - HKLM\..\Run: [unwr] C:\WINDOWS\System32\sivnmidt\unwr.exe
O4 - HKLM\..\Run: [ubstopwx] C:\WINDOWS\System32\yiysg\ubstopwx.exe
O4 - HKLM\..\Run: [uasqecy] C:\WINDOWS\System32\nfbtubx\uasqecy.exe
O4 - HKLM\..\Run: [tyhu] C:\WINDOWS\System32\nwmywnv\tyhu.exe
O4 - HKLM\..\Run: [tvxrat] C:\WINDOWS\System32\dkjvl\tvxrat.exe
O4 - HKLM\..\Run: [tshqmteh] C:\WINDOWS\System32\uuxtsa\tshqmteh.exe
O4 - HKLM\..\Run: [trsx] C:\WINDOWS\System32\tlnktwa\trsx.exe
O4 - HKLM\..\Run: [tljjm] C:\WINDOWS\System32\gpitte\tljjm.exe
O4 - HKLM\..\Run: [tlclhsep] C:\WINDOWS\System32\clegu\tlclhsep.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tfdgq] C:\WINDOWS\System32\jphasyej\tfdgq.exe
O4 - HKLM\..\Run: [syclqws] C:\WINDOWS\System32\uasxkj\syclqws.exe
O4 - HKLM\..\Run: [swvorscj] C:\WINDOWS\System32\pdtde\swvorscj.exe
O4 - HKLM\..\Run: [slkafex] C:\WINDOWS\System32\xtfovkf\slkafex.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\kristen\LOCALS~1\Temp\rdygip.exe
O4 - HKLM\..\Run: [sjfjv] C:\WINDOWS\System32\ekxs\sjfjv.exe
O4 - HKLM\..\Run: [shkfcmds] C:\WINDOWS\System32\ddkm\shkfcmds.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\secure.exe
O4 - HKLM\..\Run: [sblkkoxl] C:\WINDOWS\System32\qbdfki\sblkkoxl.exe
O4 - HKLM\..\Run: [sbkpoh] C:\WINDOWS\System32\acirv\sbkpoh.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [ruehqj] C:\WINDOWS\System32\uvdnpki\ruehqj.exe
O4 - HKLM\..\Run: [rFmf3Fi] eudaemon.exe
O4 - HKLM\..\Run: [rcinjof] C:\WINDOWS\System32\rabhsnl\rcinjof.exe
O4 - HKLM\..\Run: [raaty] C:\WINDOWS\System32\eibugd\raaty.exe
O4 - HKLM\..\Run: [qydrbtr] C:\WINDOWS\System32\pdifmlo\qydrbtr.exe
O4 - HKLM\..\Run: [qyddjse] C:\WINDOWS\System32\tftb\qyddjse.exe
O4 - HKLM\..\Run: [qvfo] C:\WINDOWS\System32\rbxgu\qvfo.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qryxkfci] C:\WINDOWS\System32\hjnobnj\qryxkfci.exe
O4 - HKLM\..\Run: [qria] C:\WINDOWS\System32\opfl\qria.exe
O4 - HKLM\..\Run: [qmme] C:\WINDOWS\System32\ovcay\qmme.exe
O4 - HKLM\..\Run: [qirgtmd] C:\WINDOWS\System32\sudydbs\qirgtmd.exe
O4 - HKLM\..\Run: [pxjoh] C:\WINDOWS\System32\chal\pxjoh.exe
O4 - HKLM\..\Run: [prnpyr] C:\WINDOWS\System32\ugawqjog\prnpyr.exe
O4 - HKLM\..\Run: [pokqddb] C:\WINDOWS\System32\uxpdhpx\pokqddb.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [oxjtpab] C:\WINDOWS\System32\ewjhygu\oxjtpab.exe
O4 - HKLM\..\Run: [ovtrktd] C:\WINDOWS\System32\uaekm\ovtrktd.exe
O4 - HKLM\..\Run: [ouvw] C:\WINDOWS\System32\ldkdnb\ouvw.exe
O4 - HKLM\..\Run: [oqphfjo] C:\WINDOWS\System32\hvtsjd\oqphfjo.exe
O4 - HKLM\..\Run: [okssnct] C:\WINDOWS\System32\giccm\okssnct.exe
O4 - HKLM\..\Run: [oiob] C:\WINDOWS\System32\nixldj\oiob.exe
O4 - HKLM\..\Run: [oikctkp] C:\WINDOWS\System32\xberlho\oikctkp.exe
O4 - HKLM\..\Run: [oguhgx] C:\WINDOWS\System32\uabu\oguhgx.exe
O4 - HKLM\..\Run: [oevmp] C:\WINDOWS\System32\qsouay\oevmp.exe
O4 - HKLM\..\Run: [odhxk] C:\WINDOWS\System32\vpci\odhxk.exe
O4 - HKLM\..\Run: [nydex] C:\WINDOWS\System32\pmpk\nydex.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [nrymhb] C:\WINDOWS\System32\rnbeff\nrymhb.exe
O4 - HKLM\..\Run: [npstoqm] C:\WINDOWS\System32\stolwaf\npstoqm.exe
O4 - HKLM\..\Run: [nobduaf] C:\WINDOWS\System32\vogs\nobduaf.exe
O4 - HKLM\..\Run: [nkqij] C:\WINDOWS\System32\eudo\nkqij.exe
O4 - HKLM\..\Run: [niuppdmi] C:\WINDOWS\System32\tfmekvrj\niuppdmi.exe
O4 - HKLM\..\Run: [nhbdlrkh] C:\WINDOWS\System32\cbfpn\nhbdlrkh.exe
O4 - HKLM\..\Run: [ndnkl] C:\WINDOWS\System32\fdoavl\ndnkl.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\iorgvo.exe
O4 - HKLM\..\Run: [nadylsnc] C:\WINDOWS\System32\btwcggjq\nadylsnc.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [mwfd] C:\WINDOWS\System32\nejstwav\mwfd.exe
O4 - HKLM\..\Run: [mtyjfjb] C:\WINDOWS\System32\hhfvy\mtyjfjb.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [mlvt] C:\WINDOWS\System32\dijy\mlvt.exe
O4 - HKLM\..\Run: [mixswyb] C:\WINDOWS\System32\aylsjow\mixswyb.exe
O4 - HKLM\..\Run: [maunljnk] C:\WINDOWS\System32\ykbo\maunljnk.exe
O4 - HKLM\..\Run: [lycnhhw] C:\WINDOWS\System32\ehgct\lycnhhw.exe
O4 - HKLM\..\Run: [luvu] C:\WINDOWS\System32\grvjsmr\luvu.exe
O4 - HKLM\..\Run: [lupok] C:\WINDOWS\System32\ktuyfsai\lupok.exe
O4 - HKLM\..\Run: [lrtfl] C:\WINDOWS\System32\coxwueay\lrtfl.exe
O4 - HKLM\..\Run: [lpwqk] C:\WINDOWS\System32\gfkcxxt\lpwqk.exe
O4 - HKLM\..\Run: [loidqm] C:\WINDOWS\System32\qcwxc\loidqm.exe
O4 - HKLM\..\Run: [lkgffe] C:\WINDOWS\System32\yjrk\lkgffe.exe
O4 - HKLM\..\Run: [lilxx] C:\WINDOWS\System32\dmqkpiax\lilxx.exe
O4 - HKLM\..\Run: [lcuo] C:\WINDOWS\System32\fgbwy\lcuo.exe
O4 - HKLM\..\Run: [kwnh] C:\WINDOWS\System32\gnsf\kwnh.exe
O4 - HKLM\..\Run: [kujdtmnv] C:\WINDOWS\System32\fsuud\kujdtmnv.exe
O4 - HKLM\..\Run: [krkfjyn] C:\WINDOWS\System32\svrlvw\krkfjyn.exe
O4 - HKLM\..\Run: [krbo] C:\WINDOWS\System32\qddebgoa\krbo.exe
O4 - HKLM\..\Run: [kmxtgwjo] C:\WINDOWS\System32\shcc\kmxtgwjo.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kampua.exe reg_run
O4 - HKLM\..\Run: [jxar] C:\WINDOWS\System32\dnbnns\jxar.exe
O4 - HKLM\..\Run: [jwufvuk] C:\WINDOWS\System32\acdxnqr\jwufvuk.exe
O4 - HKLM\..\Run: [jvuhfxq] C:\WINDOWS\System32\tcmduxne\jvuhfxq.exe
O4 - HKLM\..\Run: [juoiqway] C:\WINDOWS\System32\epdwuatf\juoiqway.exe
O4 - HKLM\..\Run: [jcxr] C:\WINDOWS\System32\suxhpjix\jcxr.exe
O4 - HKLM\..\Run: [iwvshy] C:\WINDOWS\System32\ekretu\iwvshy.exe
O4 - HKLM\..\Run: [iwkupctq] C:\WINDOWS\System32\xllvk\iwkupctq.exe
O4 - HKLM\..\Run: [iuwksxl] C:\WINDOWS\System32\qhvwj\iuwksxl.exe
O4 - HKLM\..\Run: [iujf] C:\WINDOWS\System32\cfqvk\iujf.exe
O4 - HKLM\..\Run: [inku] C:\WINDOWS\System32\lfqff\inku.exe
O4 - HKLM\..\Run: [ilsgsxnn] C:\WINDOWS\System32\hhlums\ilsgsxnn.exe
O4 - HKLM\..\Run: [ilet] C:\WINDOWS\System32\kkphxm\ilet.exe
O4 - HKLM\..\Run: [ihmpb] C:\WINDOWS\System32\oalaj\ihmpb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ibfsci] C:\WINDOWS\System32\naypdst\ibfsci.exe
O4 - HKLM\..\Run: [hykwjly] C:\WINDOWS\System32\wkiayxl\hykwjly.exe
O4 - HKLM\..\Run: [hyhnatrc] C:\WINDOWS\System32\uknabdsj\hyhnatrc.exe
O4 - HKLM\..\Run: [hyfcp] C:\WINDOWS\System32\rwxeo\hyfcp.exe
O4 - HKLM\..\Run: [hvpn] C:\WINDOWS\System32\uykpwkqf\hvpn.exe
O4 - HKLM\..\Run: [hujshsf] c:\windows\hujshsf.exe
O4 - HKLM\..\Run: [hsoqenla] C:\WINDOWS\System32\pquilgkd\hsoqenla.exe
O4 - HKLM\..\Run: [hshnin] C:\DOCUME~1\kathy\LOCALS~1\Temp\bdfm.exe
O4 - HKLM\..\Run: [hsdty] C:\WINDOWS\System32\jittaix\hsdty.exe
O4 - HKLM\..\Run: [hpgple] C:\WINDOWS\System32\asllx\hpgple.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hklsgyvw] C:\WINDOWS\System32\lnqs\hklsgyvw.exe
O4 - HKLM\..\Run: [hiav] C:\WINDOWS\System32\vtdkxr\hiav.exe
O4 - HKLM\..\Run: [hhiea] C:\WINDOWS\System32\oycud\hhiea.exe
O4 - HKLM\..\Run: [heykqn] C:\WINDOWS\System32\woqlvw\heykqn.exe
O4 - HKLM\..\Run: [hdjxqjlv] C:\WINDOWS\System32\worhxbj\hdjxqjlv.exe
O4 - HKLM\..\Run: [hdhpcp] C:\WINDOWS\System32\ctfmc\hdhpcp.exe
O4 - HKLM\..\Run: [hbepxf] C:\WINDOWS\System32\utvnn\hbepxf.exe
O4 - HKLM\..\Run: [gxxwxeuu] C:\WINDOWS\System32\hcsvec\gxxwxeuu.exe
O4 - HKLM\..\Run: [gutovh] C:\WINDOWS\System32\jtwkfelk\gutovh.exe
O4 - HKLM\..\Run: [guhsi] C:\WINDOWS\System32\ljycu\guhsi.exe
O4 - HKLM\..\Run: [gtsg] C:\WINDOWS\System32\wxugscg\gtsg.exe
O4 - HKLM\..\Run: [gtdstbv] C:\WINDOWS\System32\ubnkpay\gtdstbv.exe
O4 - HKLM\..\Run: [gprsjrnv] C:\WINDOWS\System32\vnbjxk\gprsjrnv.exe
O4 - HKLM\..\Run: [gpcv] C:\WINDOWS\System32\givsajg\gpcv.exe
O4 - HKLM\..\Run: [gjotkloc] C:\WINDOWS\System32\cqjejmfg\gjotkloc.exe
O4 - HKLM\..\Run: [gidnjd] C:\WINDOWS\System32\uwsakyqr\gidnjd.exe
O4 - HKLM\..\Run: [gfveph] C:\WINDOWS\System32\fttv\gfveph.exe
O4 - HKLM\..\Run: [geegk] C:\WINDOWS\System32\mdmpnw\geegk.exe
O4 - HKLM\..\Run: [fsmj] C:\WINDOWS\System32\ygdk\fsmj.exe
O4 - HKLM\..\Run: [fqyqanrj] C:\WINDOWS\System32\tfmekvrj\fqyqanrj.exe
O4 - HKLM\..\Run: [fpeo] C:\WINDOWS\System32\ljwqxwa\fpeo.exe
O4 - HKLM\..\Run: [fmrqjh] C:\WINDOWS\System32\uefcw\fmrqjh.exe
O4 - HKLM\..\Run: [fjkklspe] C:\WINDOWS\System32\pquyq\fjkklspe.exe
O4 - HKLM\..\Run: [fcpp] C:\WINDOWS\System32\yunro\fcpp.exe
O4 - HKLM\..\Run: [fbylwwvb] C:\WINDOWS\System32\oywx\fbylwwvb.exe
O4 - HKLM\..\Run: [fbbowr] C:\WINDOWS\System32\qrct\fbbowr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [eyqch] C:\WINDOWS\System32\voxrfwr\eyqch.exe
O4 - HKLM\..\Run: [exusgwa] C:\WINDOWS\System32\xejbvpb\exusgwa.exe
O4 - HKLM\..\Run: [ewroqb] C:\WINDOWS\System32\adctnirf\ewroqb.exe
O4 - HKLM\..\Run: [euqgzvr] c:\windows\system32\lkwgtps.exe
O4 - HKLM\..\Run: [esbcopfo] C:\WINDOWS\System32\wrjcbdhd\esbcopfo.exe
O4 - HKLM\..\Run: [embhl] C:\WINDOWS\System32\iyku\embhl.exe
O4 - HKLM\..\Run: [egonfv] C:\WINDOWS\System32\tjhrgahm\egonfv.exe
O4 - HKLM\..\Run: [efstg] C:\WINDOWS\System32\makfykhc\efstg.exe
O4 - HKLM\..\Run: [efkv] C:\WINDOWS\efkv.exe
O4 - HKLM\..\Run: [efbkr] C:\WINDOWS\System32\fkpcad\efbkr.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [dxif] C:\WINDOWS\System32\ivrdvpt\dxif.exe
O4 - HKLM\..\Run: [dwlqcuf] C:\WINDOWS\System32\yvdhy\dwlqcuf.exe
O4 - HKLM\..\Run: [dvxjoej] C:\WINDOWS\System32\msarsvp\dvxjoej.exe
O4 - HKLM\..\Run: [dshkqojo] C:\WINDOWS\System32\wvwvq\dshkqojo.exe
O4 - HKLM\..\Run: [dqwfqht] C:\WINDOWS\System32\miqjycu\dqwfqht.exe
O4 - HKLM\..\Run: [domuu] C:\WINDOWS\System32\egojx\domuu.exe
O4 - HKLM\..\Run: [dnpsg] C:\WINDOWS\System32\hmvo\dnpsg.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [demaw] C:\WINDOWS\System32\ujccen\demaw.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [cvxurwv] C:\WINDOWS\System32\bpjrmix\cvxurwv.exe
O4 - HKLM\..\Run: [curpien] C:\WINDOWS\System32\byrpjog\curpien.exe
O4 - HKLM\..\Run: [cuerx] C:\WINDOWS\System32\utyilcgk\cuerx.exe
O4 - HKLM\..\Run: [clqhpah] C:\WINDOWS\System32\vsmwcbug\clqhpah.exe
O4 - HKLM\..\Run: [cjvinhxk] C:\WINDOWS\System32\sefgyu\cjvinhxk.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [butuexg] C:\WINDOWS\System32\uxpdhpx\butuexg.exe
O4 - HKLM\..\Run: [bkwuasd] C:\WINDOWS\System32\bcfolru\bkwuasd.exe
O4 - HKLM\..\Run: [bkruo] C:\WINDOWS\System32\qwineysa\bkruo.exe
O4 - HKLM\..\Run: [bfhksid] C:\WINDOWS\System32\nvhfmsg\bfhksid.exe
O4 - HKLM\..\Run: [bdethbck] C:\WINDOWS\System32\hwkn\bdethbck.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [aumqre] C:\WINDOWS\System32\wrri\aumqre.exe
O4 - HKLM\..\Run: [arltp] C:\WINDOWS\System32\ykinj\arltp.exe
O4 - HKLM\..\Run: [apoxqygg] C:\WINDOWS\System32\fafdxmug\apoxqygg.exe
O4 - HKLM\..\Run: [amskeg] C:\WINDOWS\System32\qgrrfvc\amskeg.exe
O4 - HKLM\..\Run: [alune] C:\WINDOWS\System32\fjdntoh\alune.exe
O4 - HKLM\..\Run: [aiwecdsy] C:\WINDOWS\System32\lvwevxp\aiwecdsy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uknkpl] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ao5pRPG8i] drpres.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\kathy\Application Data\eetu.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: uptikp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: esbcopfowrjcbdhd - Unknown owner - C:\WINDOWS\System32\wrjcbdhd\esbcopfo.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lqqpprvtlh - Unknown owner - C:\WINDOWS\System32\rvtlh\lqqpp.exe
O23 - Service: niuppdmitfmekvrj - Unknown owner - C:\WINDOWS\System32\tfmekvrj\niuppdmi.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Posted Image


BC AdBot (Login to Remove)

 


m

#2 .Prodigy.

.Prodigy.
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:03:27 AM

Posted 31 July 2005 - 10:54 PM

i've ran a couple scans on the computer, and quarantined over 400 items, i'll be posting an updated logfile soon.

edit: here's the updated log. i don't think it changed too much, i ran Super Ad Blocker (2 hour scan found 398 items), restarted and then ran Adaware (15 minute scan found 24 items). after running msconfig and disbaling everything, i restarted and saw a noticeable improvement in the running speed and the amount of pop-ups (none have come up since the scans) but when i run msconfig there's about 100 enrties of random letter progs, all enabled to run on start-up again.

here's my new logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:07:57 AM, on 7/31/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\rvtlh\lqqpp.exe
C:\WINDOWS\System32\yynbhls\ysoymbq.exe
C:\WINDOWS\System32\pdjgkvcp\xiyhwqir.exe
C:\WINDOWS\System32\kkcofbm\wbbcx.exe
C:\WINDOWS\System32\gqclmbc\wmuvcda.exe
C:\WINDOWS\System32\nfbtubx\uasqecy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rabhsnl\rcinjof.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\sudydbs\qirgtmd.exe
C:\WINDOWS\System32\uxpdhpx\pokqddb.exe
C:\WINDOWS\System32\ewjhygu\oxjtpab.exe
C:\WINDOWS\System32\stolwaf\npstoqm.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\System32\acdxnqr\jwufvuk.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ubnkpay\gtdstbv.exe
C:\WINDOWS\System32\xejbvpb\exusgwa.exe
C:\WINDOWS\System32\msarsvp\dvxjoej.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\bpjrmix\cvxurwv.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\byrpjog\curpien.exe
C:\WINDOWS\System32\uxpdhpx\butuexg.exe
C:\WINDOWS\System32\bcfolru\bkwuasd.exe
C:\WINDOWS\System32\rvtlh\lqqpp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\kathy\Desktop\backups\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {C33BCD22-7CBD-0530-EBFA-24C0CD9309B1} - (no file)
O2 - BHO: (no name) - {C33BCD2C-7CBD-7446-EB81-22C0C6E409CC} - (no file)
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - (no file)
O2 - BHO: (no name) - {E0B91701-A3CD-A839-9C00-AAC816FF2A9A} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [lqqpp] C:\WINDOWS\System32\rvtlh\lqqpp.exe
O4 - HKLM\..\Run: [yxrvf] C:\WINDOWS\System32\cwnseut\yxrvf.exe
O4 - HKLM\..\Run: [ywkakf] C:\WINDOWS\System32\cdqmellj\ywkakf.exe
O4 - HKLM\..\Run: [yvyo] C:\WINDOWS\System32\mwwcwxn\yvyo.exe
O4 - HKLM\..\Run: [ytwv] C:\WINDOWS\System32\efawmel\ytwv.exe
O4 - HKLM\..\Run: [ytldn] C:\WINDOWS\System32\eeudhu\ytldn.exe
O4 - HKLM\..\Run: [ysoymbq] C:\WINDOWS\System32\yynbhls\ysoymbq.exe
O4 - HKLM\..\Run: [yppbhmbg] C:\WINDOWS\System32\fdeh\yppbhmbg.exe
O4 - HKLM\..\Run: [ynhfchwb] C:\WINDOWS\System32\dsrpr\ynhfchwb.exe
O4 - HKLM\..\Run: [ymsxonk] C:\WINDOWS\System32\kgsq\ymsxonk.exe
O4 - HKLM\..\Run: [yhhtrdjx] C:\WINDOWS\System32\oxbkock\yhhtrdjx.exe
O4 - HKLM\..\Run: [xpanyu] C:\WINDOWS\System32\eitrd\xpanyu.exe
O4 - HKLM\..\Run: [xnoityaq] C:\WINDOWS\System32\lhtq\xnoityaq.exe
O4 - HKLM\..\Run: [xiyhwqir] C:\WINDOWS\System32\pdjgkvcp\xiyhwqir.exe
O4 - HKLM\..\Run: [xhqfpp] C:\WINDOWS\System32\xhlcl\xhqfpp.exe
O4 - HKLM\..\Run: [xhaiaswx] C:\WINDOWS\System32\tlvnhesg\xhaiaswx.exe
O4 - HKLM\..\Run: [xgfav] C:\WINDOWS\System32\yotsrds\xgfav.exe
O4 - HKLM\..\Run: [xcvmytj] C:\WINDOWS\System32\kosvg\xcvmytj.exe
O4 - HKLM\..\Run: [xamfuv] C:\WINDOWS\System32\eohqrht\xamfuv.exe
O4 - HKLM\..\Run: [wxhe] C:\WINDOWS\System32\yolecgpv\wxhe.exe
O4 - HKLM\..\Run: [wxedyd] C:\WINDOWS\wxedyd.exe
O4 - HKLM\..\Run: [wqjn] C:\WINDOWS\System32\qupmxrm\wqjn.exe
O4 - HKLM\..\Run: [wmuvcda] C:\WINDOWS\System32\gqclmbc\wmuvcda.exe
O4 - HKLM\..\Run: [wcwegtb] C:\WINDOWS\System32\ynvhu\wcwegtb.exe
O4 - HKLM\..\Run: [vylqc] C:\WINDOWS\System32\drcw\vylqc.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [vbuvl] C:\WINDOWS\System32\cktopb\vbuvl.exe
O4 - HKLM\..\Run: [uxagla] C:\WINDOWS\System32\ylbuqw\uxagla.exe
O4 - HKLM\..\Run: [uwjsxit] C:\WINDOWS\System32\vnjmnrko\uwjsxit.exe
O4 - HKLM\..\Run: [urvb] C:\WINDOWS\System32\lnyyh\urvb.exe
O4 - HKLM\..\Run: [uqupb] C:\WINDOWS\System32\tyatqsy\uqupb.exe
O4 - HKLM\..\Run: [unwr] C:\WINDOWS\System32\sivnmidt\unwr.exe
O4 - HKLM\..\Run: [ubstopwx] C:\WINDOWS\System32\yiysg\ubstopwx.exe
O4 - HKLM\..\Run: [uasqecy] C:\WINDOWS\System32\nfbtubx\uasqecy.exe
O4 - HKLM\..\Run: [tyhu] C:\WINDOWS\System32\nwmywnv\tyhu.exe
O4 - HKLM\..\Run: [tvxrat] C:\WINDOWS\System32\dkjvl\tvxrat.exe
O4 - HKLM\..\Run: [tshqmteh] C:\WINDOWS\System32\uuxtsa\tshqmteh.exe
O4 - HKLM\..\Run: [trsx] C:\WINDOWS\System32\tlnktwa\trsx.exe
O4 - HKLM\..\Run: [tljjm] C:\WINDOWS\System32\gpitte\tljjm.exe
O4 - HKLM\..\Run: [tlclhsep] C:\WINDOWS\System32\clegu\tlclhsep.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tfdgq] C:\WINDOWS\System32\jphasyej\tfdgq.exe
O4 - HKLM\..\Run: [syclqws] C:\WINDOWS\System32\uasxkj\syclqws.exe
O4 - HKLM\..\Run: [swvorscj] C:\WINDOWS\System32\pdtde\swvorscj.exe
O4 - HKLM\..\Run: [slkafex] C:\WINDOWS\System32\xtfovkf\slkafex.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\kristen\LOCALS~1\Temp\rdygip.exe
O4 - HKLM\..\Run: [sjfjv] C:\WINDOWS\System32\ekxs\sjfjv.exe
O4 - HKLM\..\Run: [shkfcmds] C:\WINDOWS\System32\ddkm\shkfcmds.exe
O4 - HKLM\..\Run: [sblkkoxl] C:\WINDOWS\System32\qbdfki\sblkkoxl.exe
O4 - HKLM\..\Run: [sbkpoh] C:\WINDOWS\System32\acirv\sbkpoh.exe
O4 - HKLM\..\Run: [ruehqj] C:\WINDOWS\System32\uvdnpki\ruehqj.exe
O4 - HKLM\..\Run: [rcinjof] C:\WINDOWS\System32\rabhsnl\rcinjof.exe
O4 - HKLM\..\Run: [raaty] C:\WINDOWS\System32\eibugd\raaty.exe
O4 - HKLM\..\Run: [qydrbtr] C:\WINDOWS\System32\pdifmlo\qydrbtr.exe
O4 - HKLM\..\Run: [qyddjse] C:\WINDOWS\System32\tftb\qyddjse.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qryxkfci] C:\WINDOWS\System32\hjnobnj\qryxkfci.exe
O4 - HKLM\..\Run: [qria] C:\WINDOWS\System32\opfl\qria.exe
O4 - HKLM\..\Run: [qmme] C:\WINDOWS\System32\ovcay\qmme.exe
O4 - HKLM\..\Run: [qirgtmd] C:\WINDOWS\System32\sudydbs\qirgtmd.exe
O4 - HKLM\..\Run: [pxjoh] C:\WINDOWS\System32\chal\pxjoh.exe
O4 - HKLM\..\Run: [prnpyr] C:\WINDOWS\System32\ugawqjog\prnpyr.exe
O4 - HKLM\..\Run: [pokqddb] C:\WINDOWS\System32\uxpdhpx\pokqddb.exe
O4 - HKLM\..\Run: [oxjtpab] C:\WINDOWS\System32\ewjhygu\oxjtpab.exe
O4 - HKLM\..\Run: [ovtrktd] C:\WINDOWS\System32\uaekm\ovtrktd.exe
O4 - HKLM\..\Run: [ouvw] C:\WINDOWS\System32\ldkdnb\ouvw.exe
O4 - HKLM\..\Run: [oqphfjo] C:\WINDOWS\System32\hvtsjd\oqphfjo.exe
O4 - HKLM\..\Run: [okssnct] C:\WINDOWS\System32\giccm\okssnct.exe
O4 - HKLM\..\Run: [oiob] C:\WINDOWS\System32\nixldj\oiob.exe
O4 - HKLM\..\Run: [oikctkp] C:\WINDOWS\System32\xberlho\oikctkp.exe
O4 - HKLM\..\Run: [oguhgx] C:\WINDOWS\System32\uabu\oguhgx.exe
O4 - HKLM\..\Run: [oevmp] C:\WINDOWS\System32\qsouay\oevmp.exe
O4 - HKLM\..\Run: [nydex] C:\WINDOWS\System32\pmpk\nydex.exe
O4 - HKLM\..\Run: [nrymhb] C:\WINDOWS\System32\rnbeff\nrymhb.exe
O4 - HKLM\..\Run: [npstoqm] C:\WINDOWS\System32\stolwaf\npstoqm.exe
O4 - HKLM\..\Run: [nobduaf] C:\WINDOWS\System32\vogs\nobduaf.exe
O4 - HKLM\..\Run: [nkqij] C:\WINDOWS\System32\eudo\nkqij.exe
O4 - HKLM\..\Run: [nhbdlrkh] C:\WINDOWS\System32\cbfpn\nhbdlrkh.exe
O4 - HKLM\..\Run: [ndnkl] C:\WINDOWS\System32\fdoavl\ndnkl.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\iorgvo.exe
O4 - HKLM\..\Run: [nadylsnc] C:\WINDOWS\System32\btwcggjq\nadylsnc.exe
O4 - HKLM\..\Run: [mwfd] C:\WINDOWS\System32\nejstwav\mwfd.exe
O4 - HKLM\..\Run: [mtyjfjb] C:\WINDOWS\System32\hhfvy\mtyjfjb.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [mlvt] C:\WINDOWS\System32\dijy\mlvt.exe
O4 - HKLM\..\Run: [mixswyb] C:\WINDOWS\System32\aylsjow\mixswyb.exe
O4 - HKLM\..\Run: [maunljnk] C:\WINDOWS\System32\ykbo\maunljnk.exe
O4 - HKLM\..\Run: [lycnhhw] C:\WINDOWS\System32\ehgct\lycnhhw.exe
O4 - HKLM\..\Run: [luvu] C:\WINDOWS\System32\grvjsmr\luvu.exe
O4 - HKLM\..\Run: [lupok] C:\WINDOWS\System32\ktuyfsai\lupok.exe
O4 - HKLM\..\Run: [lrtfl] C:\WINDOWS\System32\coxwueay\lrtfl.exe
O4 - HKLM\..\Run: [lpwqk] C:\WINDOWS\System32\gfkcxxt\lpwqk.exe
O4 - HKLM\..\Run: [lkgffe] C:\WINDOWS\System32\yjrk\lkgffe.exe
O4 - HKLM\..\Run: [lilxx] C:\WINDOWS\System32\dmqkpiax\lilxx.exe
O4 - HKLM\..\Run: [lcuo] C:\WINDOWS\System32\fgbwy\lcuo.exe
O4 - HKLM\..\Run: [kwnh] C:\WINDOWS\System32\gnsf\kwnh.exe
O4 - HKLM\..\Run: [kujdtmnv] C:\WINDOWS\System32\fsuud\kujdtmnv.exe
O4 - HKLM\..\Run: [kmxtgwjo] C:\WINDOWS\System32\shcc\kmxtgwjo.exe
O4 - HKLM\..\Run: [jxar] C:\WINDOWS\System32\dnbnns\jxar.exe
O4 - HKLM\..\Run: [jwufvuk] C:\WINDOWS\System32\acdxnqr\jwufvuk.exe
O4 - HKLM\..\Run: [jvuhfxq] C:\WINDOWS\System32\tcmduxne\jvuhfxq.exe
O4 - HKLM\..\Run: [juoiqway] C:\WINDOWS\System32\epdwuatf\juoiqway.exe
O4 - HKLM\..\Run: [jcxr] C:\WINDOWS\System32\suxhpjix\jcxr.exe
O4 - HKLM\..\Run: [iwvshy] C:\WINDOWS\System32\ekretu\iwvshy.exe
O4 - HKLM\..\Run: [iuwksxl] C:\WINDOWS\System32\qhvwj\iuwksxl.exe
O4 - HKLM\..\Run: [iujf] C:\WINDOWS\System32\cfqvk\iujf.exe
O4 - HKLM\..\Run: [inku] C:\WINDOWS\System32\lfqff\inku.exe
O4 - HKLM\..\Run: [ilsgsxnn] C:\WINDOWS\System32\hhlums\ilsgsxnn.exe
O4 - HKLM\..\Run: [ilet] C:\WINDOWS\System32\kkphxm\ilet.exe
O4 - HKLM\..\Run: [ihmpb] C:\WINDOWS\System32\oalaj\ihmpb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ibfsci] C:\WINDOWS\System32\naypdst\ibfsci.exe
O4 - HKLM\..\Run: [hykwjly] C:\WINDOWS\System32\wkiayxl\hykwjly.exe
O4 - HKLM\..\Run: [hyhnatrc] C:\WINDOWS\System32\uknabdsj\hyhnatrc.exe
O4 - HKLM\..\Run: [hyfcp] C:\WINDOWS\System32\rwxeo\hyfcp.exe
O4 - HKLM\..\Run: [hvpn] C:\WINDOWS\System32\uykpwkqf\hvpn.exe
O4 - HKLM\..\Run: [hujshsf] c:\windows\hujshsf.exe
O4 - HKLM\..\Run: [hsoqenla] C:\WINDOWS\System32\pquilgkd\hsoqenla.exe
O4 - HKLM\..\Run: [hshnin] C:\DOCUME~1\kathy\LOCALS~1\Temp\bdfm.exe
O4 - HKLM\..\Run: [hsdty] C:\WINDOWS\System32\jittaix\hsdty.exe
O4 - HKLM\..\Run: [hpgple] C:\WINDOWS\System32\asllx\hpgple.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hklsgyvw] C:\WINDOWS\System32\lnqs\hklsgyvw.exe
O4 - HKLM\..\Run: [hiav] C:\WINDOWS\System32\vtdkxr\hiav.exe
O4 - HKLM\..\Run: [hhiea] C:\WINDOWS\System32\oycud\hhiea.exe
O4 - HKLM\..\Run: [heykqn] C:\WINDOWS\System32\woqlvw\heykqn.exe
O4 - HKLM\..\Run: [hdjxqjlv] C:\WINDOWS\System32\worhxbj\hdjxqjlv.exe
O4 - HKLM\..\Run: [hdhpcp] C:\WINDOWS\System32\ctfmc\hdhpcp.exe
O4 - HKLM\..\Run: [hbepxf] C:\WINDOWS\System32\utvnn\hbepxf.exe
O4 - HKLM\..\Run: [gxxwxeuu] C:\WINDOWS\System32\hcsvec\gxxwxeuu.exe
O4 - HKLM\..\Run: [gutovh] C:\WINDOWS\System32\jtwkfelk\gutovh.exe
O4 - HKLM\..\Run: [guhsi] C:\WINDOWS\System32\ljycu\guhsi.exe
O4 - HKLM\..\Run: [gtsg] C:\WINDOWS\System32\wxugscg\gtsg.exe
O4 - HKLM\..\Run: [gtdstbv] C:\WINDOWS\System32\ubnkpay\gtdstbv.exe
O4 - HKLM\..\Run: [gprsjrnv] C:\WINDOWS\System32\vnbjxk\gprsjrnv.exe
O4 - HKLM\..\Run: [gpcv] C:\WINDOWS\System32\givsajg\gpcv.exe
O4 - HKLM\..\Run: [gjotkloc] C:\WINDOWS\System32\cqjejmfg\gjotkloc.exe
O4 - HKLM\..\Run: [gidnjd] C:\WINDOWS\System32\uwsakyqr\gidnjd.exe
O4 - HKLM\..\Run: [gfveph] C:\WINDOWS\System32\fttv\gfveph.exe
O4 - HKLM\..\Run: [geegk] C:\WINDOWS\System32\mdmpnw\geegk.exe
O4 - HKLM\..\Run: [fsmj] C:\WINDOWS\System32\ygdk\fsmj.exe
O4 - HKLM\..\Run: [fqyqanrj] C:\WINDOWS\System32\tfmekvrj\fqyqanrj.exe
O4 - HKLM\..\Run: [fpeo] C:\WINDOWS\System32\ljwqxwa\fpeo.exe
O4 - HKLM\..\Run: [fmrqjh] C:\WINDOWS\System32\uefcw\fmrqjh.exe
O4 - HKLM\..\Run: [fjkklspe] C:\WINDOWS\System32\pquyq\fjkklspe.exe
O4 - HKLM\..\Run: [fcpp] C:\WINDOWS\System32\yunro\fcpp.exe
O4 - HKLM\..\Run: [fbylwwvb] C:\WINDOWS\System32\oywx\fbylwwvb.exe
O4 - HKLM\..\Run: [fbbowr] C:\WINDOWS\System32\qrct\fbbowr.exe
O4 - HKLM\..\Run: [eyqch] C:\WINDOWS\System32\voxrfwr\eyqch.exe
O4 - HKLM\..\Run: [exusgwa] C:\WINDOWS\System32\xejbvpb\exusgwa.exe
O4 - HKLM\..\Run: [ewroqb] C:\WINDOWS\System32\adctnirf\ewroqb.exe
O4 - HKLM\..\Run: [embhl] C:\WINDOWS\System32\iyku\embhl.exe
O4 - HKLM\..\Run: [egonfv] C:\WINDOWS\System32\tjhrgahm\egonfv.exe
O4 - HKLM\..\Run: [efstg] C:\WINDOWS\System32\makfykhc\efstg.exe
O4 - HKLM\..\Run: [efbkr] C:\WINDOWS\System32\fkpcad\efbkr.exe
O4 - HKLM\..\Run: [dxif] C:\WINDOWS\System32\ivrdvpt\dxif.exe
O4 - HKLM\..\Run: [dwlqcuf] C:\WINDOWS\System32\yvdhy\dwlqcuf.exe
O4 - HKLM\..\Run: [dvxjoej] C:\WINDOWS\System32\msarsvp\dvxjoej.exe
O4 - HKLM\..\Run: [dshkqojo] C:\WINDOWS\System32\wvwvq\dshkqojo.exe
O4 - HKLM\..\Run: [dqwfqht] C:\WINDOWS\System32\miqjycu\dqwfqht.exe
O4 - HKLM\..\Run: [domuu] C:\WINDOWS\System32\egojx\domuu.exe
O4 - HKLM\..\Run: [dnpsg] C:\WINDOWS\System32\hmvo\dnpsg.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [demaw] C:\WINDOWS\System32\ujccen\demaw.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [cvxurwv] C:\WINDOWS\System32\bpjrmix\cvxurwv.exe
O4 - HKLM\..\Run: [curpien] C:\WINDOWS\System32\byrpjog\curpien.exe
O4 - HKLM\..\Run: [cuerx] C:\WINDOWS\System32\utyilcgk\cuerx.exe
O4 - HKLM\..\Run: [clqhpah] C:\WINDOWS\System32\vsmwcbug\clqhpah.exe
O4 - HKLM\..\Run: [cjvinhxk] C:\WINDOWS\System32\sefgyu\cjvinhxk.exe
O4 - HKLM\..\Run: [butuexg] C:\WINDOWS\System32\uxpdhpx\butuexg.exe
O4 - HKLM\..\Run: [bkwuasd] C:\WINDOWS\System32\bcfolru\bkwuasd.exe
O4 - HKLM\..\Run: [bkruo] C:\WINDOWS\System32\qwineysa\bkruo.exe
O4 - HKLM\..\Run: [bfhksid] C:\WINDOWS\System32\nvhfmsg\bfhksid.exe
O4 - HKLM\..\Run: [bdethbck] C:\WINDOWS\System32\hwkn\bdethbck.exe
O4 - HKLM\..\Run: [arltp] C:\WINDOWS\System32\ykinj\arltp.exe
O4 - HKLM\..\Run: [apoxqygg] C:\WINDOWS\System32\fafdxmug\apoxqygg.exe
O4 - HKLM\..\Run: [amskeg] C:\WINDOWS\System32\qgrrfvc\amskeg.exe
O4 - HKLM\..\Run: [aiwecdsy] C:\WINDOWS\System32\lvwevxp\aiwecdsy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [wsmaows] C:\WINDOWS\System32\lqig\wsmaows.exe
O4 - HKLM\..\Run: [awsdgyo] C:\WINDOWS\System32\ukbqhk\awsdgyo.exe
O4 - HKLM\..\Run: [hrkwk] C:\WINDOWS\System32\aqla\hrkwk.exe
O4 - HKLM\..\Run: [ikertvx] C:\WINDOWS\System32\rtbgjeoc\ikertvx.exe
O4 - HKLM\..\Run: [smogjrcs] C:\WINDOWS\System32\oxvchbjo\smogjrcs.exe
O4 - HKLM\..\Run: [ylrhwe] C:\WINDOWS\System32\vpxhea\ylrhwe.exe
O4 - HKLM\..\Run: [lyhqsa] C:\WINDOWS\System32\scoue\lyhqsa.exe
O4 - HKLM\..\Run: [mgyfwup] C:\WINDOWS\System32\qjnoio\mgyfwup.exe
O4 - HKLM\..\Run: [adeymjnq] C:\WINDOWS\System32\avvxw\adeymjnq.exe
O4 - HKLM\..\Run: [jcnrun] C:\WINDOWS\System32\ymducnua\jcnrun.exe
O4 - HKLM\..\Run: [amobh] C:\WINDOWS\System32\nwuaugyp\amobh.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kampua.exe reg_run
O4 - HKLM\..\Run: [xenuyqdp] C:\WINDOWS\System32\dnfen\xenuyqdp.exe
O4 - HKLM\..\Run: [ykaw] C:\WINDOWS\System32\bqotjw\ykaw.exe
O4 - HKLM\..\Run: [aaojubfs] C:\WINDOWS\System32\bseds\aaojubfs.exe
O4 - HKLM\..\Run: [raen] C:\WINDOWS\System32\kefgt\raen.exe
O4 - HKLM\..\Run: [mjayrq] C:\WINDOWS\System32\cuurw\mjayrq.exe
O4 - HKLM\..\Run: [jcnx] C:\WINDOWS\System32\kgltaegq\jcnx.exe
O4 - HKLM\..\Run: [wbbcx] C:\WINDOWS\System32\kkcofbm\wbbcx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uknkpl] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: kcpi.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lqqpprvtlh - Unknown owner - C:\WINDOWS\System32\rvtlh\lqqpp.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Edited by .Prodigy., 31 July 2005 - 11:14 PM.

Posted Image


#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:27 AM

Posted 02 August 2005 - 01:41 AM

Hello .Prodigy. and welcome to the BC malware forum. Ok, you asked for it :thumbsup: After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Download LSP-Fix to your desktop. Do not run it yet.

Now we need to remove some services.

Open Notepad and Copy/Paste the contents of the quote box below into the new document:

 
Const title = "Service Removal Tool"

Set oWS = CreateObject("Wscript.Shell")
sService = inputbox("Removing Service:",title,"lqqpprvtlh")

If sService = "" then
msgbox "Script halted. No changes were made.", vbInformation, title
wscript.quit
End If

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = '" & sService & "' or displayName = '" & sService & "'")
If colListOfServices.count > 0 Then
For Each objService In colListOfServices
objService.StopService()
wscript.Sleep 5000
objService.ChangeStartMode("Disabled")
wscript.Sleep 2000
objService.Delete()
Msgbox "The " & sService & " service has been removed or marked for deletion.", vbInformation, title
Next
Else
Msgbox "The " & sService & " service was not found.", vbInformation, title
End If


Save the file to your desktop as remsvc.vbs and close Notepad. Locate the remsvc.vbs file on your desktop and double-click on it to run it. Click the Ok button and wait for a messge box saying the service has been removed or marked for deletion.

Run the remsvc.vbs again for each of the services listed below. When the window opens, type the name of the service into the editbox and then click the Ok button:SvcProc
WinToolsSvc

Launch Notepad again, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"msnappau"="C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {C33BCD22-7CBD-0530-EBFA-24C0CD9309B1} - (no file)
O2 - BHO: (no name) - {C33BCD2C-7CBD-7446-EB81-22C0C6E409CC} - (no file)
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - (no file)
O2 - BHO: (no name) - {E0B91701-A3CD-A839-9C00-AAC816FF2A9A} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [Uknkpl] C:\WINDOWS\System32\??rvices.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: kcpi.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\svcproc.exe
C:\WINDOWS\wxedyd.exe
c:\windows\hujshsf.exe
C:\WINDOWS\System32\kampua.exe
C:\WINDOWS\System32\rvtlh\ <--folder
C:\WINDOWS\System32\cdqmellj\ <--folder
C:\WINDOWS\System32\mwwcwxn\ <--folder
C:\WINDOWS\System32\efawmel\ <--folder
C:\WINDOWS\System32\eeudhu\ <--folder
C:\WINDOWS\System32\yynbhls\ <--folder
C:\WINDOWS\System32\fdeh\ <--folder
C:\WINDOWS\System32\dsrpr\ <--folder
C:\WINDOWS\System32\kgsq\ <--folder
C:\WINDOWS\System32\oxbkock\ <--folder
C:\WINDOWS\System32\eitrd\ <--folder
C:\WINDOWS\System32\lhtq\ <--folder
C:\WINDOWS\System32\pdjgkvcp\ <--folder
C:\WINDOWS\System32\xhlcl\ <--folder
C:\WINDOWS\System32\tlvnhesg\ <--folder
C:\WINDOWS\System32\yotsrds\ <--folder
C:\WINDOWS\System32\kosvg\ <--folder
C:\WINDOWS\System32\eohqrht\ <--folder
C:\WINDOWS\System32\yolecgpv\ <--folder
C:\WINDOWS\System32\qupmxrm\ <--folder
C:\WINDOWS\System32\gqclmbc\ <--folder
C:\WINDOWS\System32\ynvhu\ <--folder
C:\WINDOWS\System32\drcw\ <--folder
C:\WINDOWS\System32\cktopb\ <--folder
C:\WINDOWS\System32\ylbuqw\ <--folder
C:\WINDOWS\System32\vnjmnrko\ <--folder
C:\WINDOWS\System32\lnyyh\ <--folder
C:\WINDOWS\System32\tyatqsy\ <--folder
C:\WINDOWS\System32\sivnmidt\ <--folder
C:\WINDOWS\System32\yiysg\ <--folder
C:\WINDOWS\System32\nfbtubx\ <--folder
C:\WINDOWS\System32\nwmywnv\ <--folder
C:\WINDOWS\System32\dkjvl\ <--folder
C:\WINDOWS\System32\uuxtsa\ <--folder
C:\WINDOWS\System32\tlnktwa\ <--folder
C:\WINDOWS\System32\gpitte\ <--folder
C:\WINDOWS\System32\clegu\ <--folder
C:\WINDOWS\System32\jphasyej\ <--folder
C:\WINDOWS\System32\uasxkj\ <--folder
C:\WINDOWS\System32\pdtde\ <--folder
C:\WINDOWS\System32\xtfovkf\ <--folder
C:\WINDOWS\System32\ekxs\ <--folder
C:\WINDOWS\System32\ddkm\ <--folder
C:\WINDOWS\System32\qbdfki\ <--folder
C:\WINDOWS\System32\acirv\ <--folder
C:\WINDOWS\System32\uvdnpki\ <--folder
C:\WINDOWS\System32\rabhsnl\ <--folder
C:\WINDOWS\System32\eibugd\ <--folder
C:\WINDOWS\System32\pdifmlo\ <--folder
C:\WINDOWS\System32\tftb\ <--folder
C:\WINDOWS\System32\hjnobnj\ <--folder
C:\WINDOWS\System32\opfl\ <--folder
C:\WINDOWS\System32\ovcay\ <--folder
C:\WINDOWS\System32\sudydbs\ <--folder
C:\WINDOWS\System32\chal\ <--folder
C:\WINDOWS\System32\ugawqjog\ <--folder
C:\WINDOWS\System32\uxpdhpx\ <--folder
C:\WINDOWS\System32\ewjhygu\ <--folder
C:\WINDOWS\System32\uaekm\ <--folder
C:\WINDOWS\System32\ldkdnb\ <--folder
C:\WINDOWS\System32\hvtsjd\ <--folder
C:\WINDOWS\System32\giccm\ <--folder
C:\WINDOWS\System32\nixldj\ <--folder
C:\WINDOWS\System32\xberlho\ <--folder
C:\WINDOWS\System32\uabu\ <--folder
C:\WINDOWS\System32\qsouay\ <--folder
C:\WINDOWS\System32\pmpk\ <--folder
C:\WINDOWS\System32\rnbeff\ <--folder
C:\WINDOWS\System32\stolwaf\ <--folder
C:\WINDOWS\System32\vogs\ <--folder
C:\WINDOWS\System32\eudo\ <--folder
C:\WINDOWS\System32\cbfpn\ <--folder
C:\WINDOWS\System32\fdoavl\ <--folder
C:\WINDOWS\System32\iorgvo.exe
C:\WINDOWS\System32\btwcggjq\ <--folder
C:\WINDOWS\System32\nejstwav\ <--folder
C:\WINDOWS\System32\hhfvy\ <--folder
C:\WINDOWS\System32\dijy\ <--folder
C:\WINDOWS\System32\aylsjow\ <--folder
C:\WINDOWS\System32\ykbo\ <--folder
C:\WINDOWS\System32\ehgct\ <--folder
C:\WINDOWS\System32\grvjsmr\ <--folder
C:\WINDOWS\System32\ktuyfsai\ <--folder
C:\WINDOWS\System32\coxwueay\ <--folder
C:\WINDOWS\System32\gfkcxxt\ <--folder
C:\WINDOWS\System32\yjrk\ <--folder
C:\WINDOWS\System32\dmqkpiax\ <--folder
C:\WINDOWS\System32\fgbwy\ <--folder
C:\WINDOWS\System32\gnsf\ <--folder
C:\WINDOWS\System32\fsuud\ <--folder
C:\WINDOWS\System32\shcc\ <--folder
C:\WINDOWS\System32\dnbnns\ <--folder
C:\WINDOWS\System32\acdxnqr\ <--folder
C:\WINDOWS\System32\tcmduxne\ <--folder
C:\WINDOWS\System32\epdwuatf\ <--folder
C:\WINDOWS\System32\suxhpjix\ <--folder
C:\WINDOWS\System32\ekretu\ <--folder
C:\WINDOWS\System32\qhvwj\ <--folder
C:\WINDOWS\System32\cfqvk\ <--folder
C:\WINDOWS\System32\lfqff\ <--folder
C:\WINDOWS\System32\hhlums\ <--folder
C:\WINDOWS\System32\kkphxm\ <--folder
C:\WINDOWS\System32\oalaj\ <--folder
C:\WINDOWS\System32\naypdst\ <--folder
C:\WINDOWS\System32\wkiayxl\ <--folder
C:\WINDOWS\System32\uknabdsj\ <--folder
C:\WINDOWS\System32\rwxeo\ <--folder
C:\WINDOWS\System32\uykpwkqf\ <--folder
C:\WINDOWS\System32\pquilgkd\ <--folder
C:\WINDOWS\System32\jittaix\ <--folder
C:\WINDOWS\System32\asllx\ <--folder
C:\WINDOWS\System32\lnqs\ <--folder
C:\WINDOWS\System32\vtdkxr\ <--folder
C:\WINDOWS\System32\oycud\ <--folder
C:\WINDOWS\System32\woqlvw\ <--folder
C:\WINDOWS\System32\worhxbj\ <--folder
C:\WINDOWS\System32\ctfmc\ <--folder
C:\WINDOWS\System32\utvnn\ <--folder
C:\WINDOWS\System32\hcsvec\ <--folder
C:\WINDOWS\System32\jtwkfelk\ <--folder
C:\WINDOWS\System32\ljycu\ <--folder
C:\WINDOWS\System32\wxugscg\ <--folder
C:\WINDOWS\System32\ubnkpay\ <--folder
C:\WINDOWS\System32\vnbjxk\ <--folder
C:\WINDOWS\System32\givsajg\ <--folder
C:\WINDOWS\System32\cqjejmfg\ <--folder
C:\WINDOWS\System32\uwsakyqr\ <--folder
C:\WINDOWS\System32\fttv\ <--folder
C:\WINDOWS\System32\mdmpnw\ <--folder
C:\WINDOWS\System32\ygdk\ <--folder
C:\WINDOWS\System32\tfmekvrj\ <--folder
C:\WINDOWS\System32\ljwqxwa\ <--folder
C:\WINDOWS\System32\uefcw\ <--folder
C:\WINDOWS\System32\pquyq\ <--folder
C:\WINDOWS\System32\yunro\ <--folder
C:\WINDOWS\System32\oywx\ <--folder
C:\WINDOWS\System32\qrct\ <--folder
C:\WINDOWS\System32\voxrfwr\ <--folder
C:\WINDOWS\System32\xejbvpb\ <--folder
C:\WINDOWS\System32\adctnirf\ <--folder
C:\WINDOWS\System32\iyku\ <--folder
C:\WINDOWS\System32\tjhrgahm\ <--folder
C:\WINDOWS\System32\makfykhc\ <--folder
C:\WINDOWS\System32\fkpcad\ <--folder
C:\WINDOWS\System32\ivrdvpt\ <--folder
C:\WINDOWS\System32\yvdhy\ <--folder
C:\WINDOWS\System32\msarsvp\ <--folder
C:\WINDOWS\System32\wvwvq\ <--folder
C:\WINDOWS\System32\miqjycu\ <--folder
C:\WINDOWS\System32\egojx\ <--folder
C:\WINDOWS\System32\hmvo\ <--folder
C:\WINDOWS\System32\ujccen\ <--folder
C:\WINDOWS\System32\bpjrmix\ <--folder
C:\WINDOWS\System32\byrpjog\ <--folder
C:\WINDOWS\System32\utyilcgk\ <--folder
C:\WINDOWS\System32\vsmwcbug\ <--folder
C:\WINDOWS\System32\sefgyu\ <--folder
C:\WINDOWS\System32\uxpdhpx\ <--folder
C:\WINDOWS\System32\bcfolru\ <--folder
C:\WINDOWS\System32\qwineysa\ <--folder
C:\WINDOWS\System32\nvhfmsg\ <--folder
C:\WINDOWS\System32\hwkn\ <--folder
C:\WINDOWS\System32\ykinj\ <--folder
C:\WINDOWS\System32\fafdxmug\ <--folder
C:\WINDOWS\System32\qgrrfvc\ <--folder
C:\WINDOWS\System32\lvwevxp\ <--folder
C:\WINDOWS\System32\lqig\ <--folder
C:\WINDOWS\System32\ukbqhk\ <--folder
C:\WINDOWS\System32\aqla\ <--folder
C:\WINDOWS\System32\rtbgjeoc\ <--folder
C:\WINDOWS\System32\oxvchbjo\ <--folder
C:\WINDOWS\System32\vpxhea\ <--folder
C:\WINDOWS\System32\scoue\ <--folder
C:\WINDOWS\System32\qjnoio\ <--folder
C:\WINDOWS\System32\avvxw\ <--folder
C:\WINDOWS\System32\ymducnua\ <--folder
C:\WINDOWS\System32\nwuaugyp\ <--folder
C:\WINDOWS\System32\dnfen\ <--folder
C:\WINDOWS\System32\bqotjw\ <--folder
C:\WINDOWS\System32\bseds\ <--folder
C:\WINDOWS\System32\kefgt\ <--folder
C:\WINDOWS\System32\cuurw\ <--folder
C:\WINDOWS\System32\kgltaegq\ <--folder
C:\WINDOWS\System32\kkcofbm\ <--folder
C:\Program Files\Common Files\WinTools\ <--folder
C:\Program Files\Common Files\GMT\ <--folder
C:\Program Files\MyWebSearch\ <--folder
C:\Program Files\PrecisionTime\ <--folder
C:\Program Files\VVSN\ <--folder
C:\DOCUME~1\kristen\LOCALS~1\Temp\rdygip.exe
C:\DOCUME~1\kathy\LOCALS~1\Temp\bdfm.exe

Now perform a search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.kcpi.exe
Step #5

Disconnect from the Internet and close all Internet Explorer Windows. Run LspFix.exe and click in the checkbox for I know what I'm doing. Click on each listing of cdlsp.dll and then move it into the Remove section by clicking on the >> button that points to the right. When all instances of this dll are in the Remove section press the Finish button.

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 .Prodigy.

.Prodigy.
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:03:27 AM

Posted 02 August 2005 - 08:13 PM

i've run into a couple problems, first of all, after reading through your instructions completely, i want to mention that the computer with the virusesis not connected to the internet. i am posting these messages from my own personal computer, and the logs are from an entirely differnt computer.

secondly, i've copied and pasted the code for remsvc exactly, and when i try to run it i get an error saying "This application has failed to start because ScrRun.dll was not found. Re-installing the application may fix this problem."

i don't want to continue without completing this step, because it might cause errors later on. i'll wait for you to reply with further instructions before continuing.

Posted Image


#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:27 AM

Posted 02 August 2005 - 10:20 PM

Hi .Prodigy.. You will either need to re-install WinXP or replace the missing file. You can download it from here: http://www.5starsupport.com/info/dll.htm and put it in your c:\windows\system32 folder and see if that works.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 .Prodigy.

.Prodigy.
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:03:27 AM

Posted 03 August 2005 - 11:11 AM

Thanks OldTimer, i found the file on that webpage, but now i'm getting more errors.

i placed the dll file on the desktop along with remsvc and tried to run it again. this time, i get an error saying "The procedure entry point DoOpenPipeStream could not be located in the dynamic link library ScrRun.dll"

is this computer too infected to be recovered? should i just run a system restore on it?

Edited by .Prodigy., 03 August 2005 - 11:19 AM.

Posted Image


#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:27 AM

Posted 03 August 2005 - 12:07 PM

Hi .Prodigy.. The dll file needs to be in the c:\windows\system32 folder. Not the desktop.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 .Prodigy.

.Prodigy.
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:03:27 AM

Posted 03 August 2005 - 08:58 PM

i put scrrun.dll in the system32 folder and got the same results, the same error pops up followed by an error saying:

Windows Script Host:
Script: C\Documents and Settings\kathy\Desktop\remscv.vbs
Line: 3
Char: 1
Error: The specified procedure could not be found

Code: 8007007F
Source: (null)


Edited by .Prodigy., 03 August 2005 - 08:58 PM.

Posted Image


#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:27 AM

Posted 03 August 2005 - 10:29 PM

Hi .Prodigy.. Then there are other issues with the script service on that machine.

Try stopping it manually. Click Start>Run, type cmd into the Open editbox and click the Ok button. Now type each of the commands below into the command prompt window pressing the Enter key after each one:sc config lqqpprvtlh start= disabled
sc stop lqqpprvtlh
sc delete lqqpprvtlh

Then proceed with the rest of the fix.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 .Prodigy.

.Prodigy.
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:03:27 AM

Posted 04 August 2005 - 03:21 PM

thanks oldtimer, i got success messages on every command in the cmd console and everything else worked fine. (could the script problem be because the comp is running SP1?)

here's my new HJT Logfile: (noticeably smaller)

Logfile of HijackThis v1.99.1
Scan saved at 9:13:50 PM, on 8/3/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7210e87e3912d997c94a92cc081e02d4\update\update.exe
C:\Documents and Settings\kathy\Desktop\backups\HijackThis.exe

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Uknkpl] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)




thanks again for all your help!

Posted Image


#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:27 AM

Posted 04 August 2005 - 03:55 PM

Hi .Prodigy.. That looks better. In regards to the script, the scripting engine is built into the OS. This machine has has a corrupted engine and will not be able to run scripts.

Next, let's look for some files.

Open Notepad and copy/paste the text in the quotebox below into the new document:

dir C:\WINDOWS\System32\??rvices.exe /a h > files.txt notepad files.txt


Save the document to your desktop as findfile.bat and close Notepad. Locate the findfile.bat file on your desktop and double-click on it to run it. Notepad should open up with some information in it. Post that information back here so I can review it.

Cheers.

OT

Edited by OldTimer, 04 August 2005 - 03:55 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 .Prodigy.

.Prodigy.
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:03:27 AM

Posted 04 August 2005 - 05:13 PM

here's what i got from findfile:

Volume in drive C has no label.
Volume Serial Number is 28DF-8B3B

Directory of C:\WINDOWS\System32

08/29/2002 06:00 AM 101,376 SERVICES.EXE
1 File(s) 101,376 bytes

Directory of C:\Documents and Settings\kathy\Desktop


Directory of C:\Documents and Settings\kathy\Desktop


Directory of C:\Documents and Settings\kathy\Desktop

08/03/2003 11:08 PM 0 files.txt
1 File(s) 0 bytes
0 Dir(s) 32,983,113,728 bytes free

Posted Image


#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:27 AM

Posted 04 August 2005 - 05:54 PM

Hi .Prodigy. I don't think that is a valid windows file. Let's have it checked out.

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan: C:\WINDOWS\System32\SERVICES.EXE
Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 .Prodigy.

.Prodigy.
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:03:27 AM

Posted 04 August 2005 - 09:28 PM

i ran the virus scan on services.exe and all 14 scans "Found nothing" and the status on it is OK.

Edited by .Prodigy., 04 August 2005 - 09:30 PM.

Posted Image


#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:27 AM

Posted 04 August 2005 - 10:58 PM

Hi .Prodigy. Ok, then let's finish this off. Please print these directions and then proceed with the following steps in order.

Step #1

Open Notepad and copy/paste the text in the quotebox below into the new document:

cd\windows
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
sc config WinToolsSvc start= disabled
sc stop WinToolsSvc
sc delete WinToolsSvc
attrib -s -r -h C:\WINDOWS\svcproc.exe
del C:\WINDOWS\svcproc.exe
exit


Save the document to your desktop as remsvc.bat and close Notepad. Locate the remsvc.bat file on your desktop and double-click on it to run it.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKCU\..\Run: [Uknkpl] C:\WINDOWS\System32\??rvices.exe
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7210e87e3912d997c94a92cc081e02d4\update\update.exe
C:\Program Files\Common Files\WinTools\ <--folder

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

Start AdAware SE and update it. Then, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users