Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unsure, But Lots Of Popups, Possibly A Trojan?


  • Please log in to reply
4 replies to this topic

#1 pamstar

pamstar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 02 October 2006 - 07:28 AM

hello,

i am having some difficulties with my computer. the mcafee scan every few minutes says that i have either a trojan or a virus. after cleaning out my computer with houscall and ad-aware and spy-bot, the problem is still there. i normally use firefox and there are popups coming up in new tabs constantly. however, ie also opens and has popups in there without me ever starting it up. also, when i initially turn on the computer, it says that it has trouble finding nswrszh.dll and mbexcl40.dll. i am also getting an error message about vkqtvmgA.exe and that it is not compatible with MS-DOS. i ran hijackthis and this is the log that i got.

thank you!!!

pam



Logfile of HijackThis v1.99.1
Scan saved at 8:21:03 AM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\WgaTray.exe
E:\Program Files\Messenger\msmsgs.exe
E:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
E:\WINDOWS\system32\?hkdsk.exe
E:\Program Files\PSDream\PSDream.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\webshots.scr
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Documents and Settings\big p\Desktop\stng260.exe
E:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [dbwdps] E:\WINDOWS\system32\djslpt.exe reg_run
O4 - HKLM\..\Run: [vkqtvmgA] E:\WINDOWS\vkqtvmgA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [keyman.exe] E:\Program Files\Tavultesoft\Keyman\keyman.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "E:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Lgeioaly] E:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Uhst] E:\Documents and Settings\big p\Application Data\erlr.exe
O4 - HKCU\..\Run: [BitTorrent] "E:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [yxeeq] E:\WINDOWS\system32\djslpt.exe reg_run
O4 - HKCU\..\Run: [PSDream] "E:\Program Files\PSDream\PSDream.exe"
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O20 - Winlogon Notify: WebCheck - E:\WINDOWS\system32\ktr4l79q1.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe


this is a message i just got from symantec:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Dropper
File: E:\WINDOWS\vkqtvmg.exe
Location: Quarantine
Computer: PKSERT
User: big p
Action taken: Quarantine succeeded : Access denied
Date found: Monday, October 02, 2006 8:40:43 AM

Edited by pamstar, 02 October 2006 - 07:44 AM.


BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:17 AM

Posted 03 October 2006 - 01:53 PM

Hi pamstar and welcome to Bleeping Computer :thumbsup:

You got some infections there...

Please, do not use BitTorrent during the cleanings.

At first, please rename HijackThis.exe to Scanner.exe

Then, do he following:
  • Download this file - combofix.exe
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis (scanner.exe) log.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by Mr_JAk3, 03 October 2006 - 01:54 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 pamstar

pamstar
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 03 October 2006 - 08:58 PM

ok did as you said and here is my new hijackthis (now scanner) log as well as the combofix log. thanks for your help. i dont know if its fixed yet, but i feel like it might be...

Logfile of HijackThis v1.99.1
Scan saved at 9:53:53 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
E:\WINDOWS\system32\?hkdsk.exe
E:\Program Files\PSDream\PSDream.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\webshots.scr
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [vkqtvmgA] E:\WINDOWS\vkqtvmgA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [keyman.exe] E:\Program Files\Tavultesoft\Keyman\keyman.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "E:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Lgeioaly] E:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Uhst] E:\Documents and Settings\big p\Application Data\erlr.exe
O4 - HKCU\..\Run: [BitTorrent] "E:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PSDream] "E:\Program Files\PSDream\PSDream.exe"
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe

combofix


big p - 06-10-03 21:48:23.35 Service Pack 2
ComboFix 06.09.28 - Running from: "E:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{4A53E3C7-53F5-4CAE-87D6-4B67E32B1BD2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A53E3C7-53F5-4CAE-87D6-4B67E32B1BD2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A53E3C7-53F5-4CAE-87D6-4B67E32B1BD2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4A53E3C7-53F5-4CAE-87D6-4B67E32B1BD2}\InprocServer32]
@="E:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

E:\WINDOWS\system32\fp6803jue.dll
E:\WINDOWS\system32\gpnol3531.dll
E:\WINDOWS\system32\guard.tmp


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-29 00:47 279 ceyrg.dll.qoo
06-09-29 00:30 53 vlqwcv.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\WINDOWS\cfg32a.exe
E:\WINDOWS\offun.exe
E:\WINDOWS\uninstall_nmon.vbs
E:\Documents and Settings\LocalService\Application Data\NetMon


((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-09-29 00:36 32,768 --a------ E:\WINDOWS\bejvgizc.exe
2006-09-29 00:30 380,000 -r-hs---- E:\WINDOWS\vkqtvmgA.exe
2006-09-29 00:30 217,276 --a------ E:\WINDOWS\srvvzmsbum.exe
2006-09-29 00:30 183,478 --a------ E:\WINDOWS\srvzusyomr.exe
2006-09-29 00:30 163,840 --a------ E:\WINDOWS\ms069014157801.exe
2006-09-29 00:16 20,640 --------- E:\WINDOWS\system32\drivers\PxHelp20.sys
2006-09-29 00:16 109,568 --------- E:\WINDOWS\system32\pxinsi64.exe
2006-09-29 00:16 108,544 --------- E:\WINDOWS\system32\pxcpyi64.exe
2006-09-18 14:11 778,240 --a------ E:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 14:11 778,240 --a------ E:\WINDOWS\system32\divx_xx07.dll
2006-09-18 14:11 761,856 --a------ E:\WINDOWS\system32\divx_xx11.dll
2006-09-18 14:11 620,180 --a------ E:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-03 21:48 -------- d-------- E:\Program Files\Mozilla Firefox
2006-10-03 21:46 -------- d-------- E:\Program Files\HijackThis
2006-09-29 09:20 -------- d-------- E:\Program Files\Windows NT
2006-09-29 09:20 -------- d-------- E:\Program Files\Outlook Express
2006-09-29 08:26 -------- d-------- E:\Documents and Settings\big p\Application Data\Sun
2006-09-29 08:24 -------- d-------- E:\Program Files\Java
2006-09-29 08:24 -------- d-------- E:\Program Files\Common Files\Java
2006-09-29 08:24 -------- d-------- E:\Program Files\Common Files
2006-09-29 07:38 -------- d-------- E:\Program Files\Online Services
2006-09-29 00:30 -------- d-------- E:\Program Files\PSDream
2006-09-29 00:29 -------- d-------- E:\Program Files\WinRAR
2006-09-29 00:19 -------- d-------- E:\Program Files\BitTorrent
2006-09-29 00:17 -------- d-------- E:\Program Files\DivX
2006-09-27 22:22 -------- d-------- E:\Documents and Settings\big p\Application Data\AdobeUM
2006-09-25 07:45 -------- d-------- E:\Documents and Settings\big p\Application Data\BitTorrent
2006-09-20 22:21 -------- d-------- E:\Documents and Settings\big p\Application Data\Apple Computer
2006-09-20 22:20 -------- d-------- E:\Program Files\QuickTime
2006-08-28 23:29 -------- d---s---- E:\Documents and Settings\big p\Application Data\Microsoft
2006-08-21 16:50 -------- d-------- E:\Program Files\Semagic
2006-08-21 08:21 16896 --a------ E:\WINDOWS\system32\fltlib.dll
2006-08-21 08:16 -------- d-------- E:\Program Files\Internet Explorer
2006-08-21 07:16 -------- d-------- E:\Documents and Settings\big p\Application Data\Mozilla
2006-08-21 05:14 23040 --a------ E:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- E:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-18 22:46 -------- d-------- E:\Program Files\Windows Media Player
2006-08-18 22:44 -------- d-------- E:\Program Files\Common Files\System
2006-08-18 17:53 -------- d-------- E:\Program Files\The Weather Channel FW
2006-08-18 15:37 -------- d-------- E:\Program Files\Canon
2006-08-11 13:35 520192 --a------ E:\WINDOWS\system32\DivXsm.exe
2006-08-11 13:35 3596288 --a------ E:\WINDOWS\system32\qt-dx331.dll
2006-08-11 13:35 200704 --a------ E:\WINDOWS\system32\ssldivx.dll
2006-08-11 13:35 1044480 --a------ E:\WINDOWS\system32\libdivx.dll
2006-08-11 13:31 73728 --a------ E:\WINDOWS\system32\dpl100.dll
2006-08-11 13:31 593920 --a------ E:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 13:31 57344 --a------ E:\WINDOWS\system32\dpv11.dll
2006-08-11 13:31 53248 --a------ E:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 13:31 344064 --a------ E:\WINDOWS\system32\dpus11.dll
2006-08-11 13:31 294912 --a------ E:\WINDOWS\system32\dpu11.dll
2006-08-11 13:31 294912 --a------ E:\WINDOWS\system32\dpu10.dll
2006-08-11 13:31 196608 --a------ E:\WINDOWS\system32\dtu100.dll
2006-08-11 13:31 12288 --a------ E:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 13:31 118784 --a------ E:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-07-27 09:24 679424 --a------ E:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ E:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"E:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"keyman.exe"="E:\\Program Files\\Tavultesoft\\Keyman\\keyman.exe"
"PopUpStopperFreeEdition"="\"E:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""
"Lgeioaly"="E:\\WINDOWS\\system32\\?hkdsk.exe"
"Uhst"="E:\\Documents and Settings\\big p\\Application Data\\erlr.exe"
"BitTorrent"="\"E:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"PSDream"="\"E:\\Program Files\\PSDream\\PSDream.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vkqtvmgA"="E:\\WINDOWS\\vkqtvmgA.exe"
"SunJavaUpdateSched"="E:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="E:\\Program Files\\Windows NT\\kyzerek.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="E:\\Program Files\\Outlook Express\\howypyheh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,26,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,26,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 10/03/2006 21:52:22.59
ComboFix.txt


now what?

pam

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:17 AM

Posted 04 October 2006 - 01:11 AM

Hi again, not clean yet
We'll continue :thumbsup:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Download HijackThis to your desktop -> HijackThis 1.99.1
Create a new folder named HijackThis to your desktop. Move HijackThis.exe into that folder.

Then, make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
First install MVPS HOSTS:

Download and unzip hosts.zip from HERE to a folder (hosts).

When you get a chance please read more about what we are doing HERE.

Here's a Tutorial on how to install it, but it's installed like this:

Open up the hosts folder and double-click on the mvps.bat file, it will rename your present HOSTS file to HOSTS.MVP, then it will copy the new HOSTS file to the correct location on your machine. It happens very quickly so don't blink!

You're done with this step.

Next....

Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
PSDream
and any other programs you didn't install or don't recognize - if your not sure please ask first


Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

PSDream.exe
webshots.scr

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lgeioaly"=-
"Uhst"=-
"PSDream"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vkqtvmgA"=-

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [vkqtvmgA] E:\WINDOWS\vkqtvmgA.exe
O4 - HKCU\..\Run: [Lgeioaly] E:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Uhst] E:\Documents and Settings\big p\Application Data\erlr.exe
O4 - HKCU\..\Run: [PSDream] "E:\Program Files\PSDream\PSDream.exe"
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
E:\Program Files\PSDream
E:\Program Files\Webshots

Go to the My Computer and delete the following files (if present):
E:\Documents and Settings\big p\Application Data\erlr.exe
E:\WINDOWS\vkqtvmgA.exe
E:\Program Files\Windows NT\vkyzerek.html
E:\Program Files\Outlook Express\howypyheh.html
E:\WINDOWS\bejvgizc.exe
E:\WINDOWS\vkqtvmgA.exe
E:\WINDOWS\srvvzmsbum.exe
E:\WINDOWS\srvzusyomr.exe
E:\WINDOWS\ms069014157801.exe
E:\WINDOWS\webshots.scr

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE The following will clear all of your cookies, forms and history from FireFox. Feel free to skip this step.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
NOTE: The following will clear all of your cookies, forms and history from Opera. Feel free to skip this step.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

[b]When you're ready, post the following logs to here:

- AVG's report
- a fresh HijackThis log

Edited by Mr_JAk3, 04 October 2006 - 01:13 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:07:17 AM

Posted 14 October 2006 - 03:17 AM

Hi again, are you still there ?
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users