Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ahhh Maxifiles Trojans Ulwindow Seek/ulwindowurl Keeps Popping Up

  • This topic is locked This topic is locked
2 replies to this topic

#1 sugartaspice


  • Members
  • 3 posts
  • Local time:10:00 PM

Posted 16 June 2006 - 05:41 PM

I have run spybot syware doctor ,housecall ,panda ,ewido ,micro but they just keep comin back. I get rogue antispyware messages and my homepage gets changed. I have seen command prompt pop up and then go away...

Logfile of HijackThis v1.99.1
Scan saved at 3:42:44 PM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\Downloaded Program Files\rdgUS2404.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.intel.com/
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqrsqo.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [9a322ab4.exe] C:\WINDOWS\system32\9a322ab4.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X
O4 - HKCU\..\Run: [Nvflcz] C:\DOCUME~1\Misha\MYDOCU~1\ICROSO~1.NET\explorer.exe
O4 - HKCU\..\Run: [Rscu] "C:\WINDOWS\WNSXS~1\rundll32.exe" -vt ndrv
O4 - HKCU\..\Run: [9a322ab4.exe] C:\Documents and Settings\Misha\Local Settings\Application Data\9a322ab4.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://homepage.mac.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150436331875
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\scanregw.dll
O20 - Winlogon Notify: ssqrsqo - C:\WINDOWS\SYSTEM32\ssqrsqo.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Panda adware scan result

Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\docume~1\misha\mydocu~1\icroso~1.net\explorer.exe
Adware:Adware/SystemDoctor Not disinfected c:\windows\system32\9a322ab4.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\TEMP\h91746.exe
Adware:adware/xpasswordmanager Not disinfected c:\windows\system32\ld100.tmp
Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS2338.exe
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Misha\Local Settings\Application Data\9a322ab4.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Misha\Local Settings\Temp\win12D.tmp.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Misha\My Documents\?icrosoft.NET\explorer.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\__delete_on_reboot__scanregw.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\__delete_on_reboot__winmxw32.dll
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\Temp\win10D.tmp.exe
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\Temp\win114.tmp.exe
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\Temp\win164.tmp.exe
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\Temp\win170.tmp.exe
Adware:Adware/PicsPlace Not disinfected C:\WINDOWS\Temp\__delete_on_reboot__win107.tmp.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\W?nSxS\rundll32.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\W?nSxS\WNSXS~1\!update-3955.0000

BC AdBot (Login to Remove)


#2 Rawe


  • Members
  • 2,363 posts
  • Gender:Male
  • Location:Finland
  • Local time:07:00 AM

Posted 16 June 2006 - 06:49 PM

Welcome aboard.. :thumbsup:

-> Click Start, Run and type in: msconfig
-> Hit Enter
-> Click on the Startup-tab and make sure there are checkmarks in every entry.
-> Then hit OK until the window closes.



Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files
  • Copy & paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\system32\ssqrsqo.dll
    • C:\WINDOWS\system32\oqsrqss.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log. :flowers:

Hi there, stranger!

#3 Rawe


  • Members
  • 2,363 posts
  • Gender:Male
  • Location:Finland
  • Local time:07:00 AM

Posted 23 June 2006 - 06:14 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users