[Caffeine_Powered]

Alright today I got a call from my friend saying his computer was messed up, so I got my stuff together and went over to help him...I did all I could from his house (he has Dial-up ) and intalled a whole bunch of programs...Adaware (found tons deleted through Adaware and Manually)....Spybot (same as Adaware)....so it still giving him problems... so I brought it to my house to try and fix it, and after awhile I figured I'd ty and use Geekstogo. I transfered Ewido and HJT to his comp...ok his computer has Macafee on it and it won't let HJT load...reads it as a virus...can't install....

I got Ewido on it and it found a bitllion things deleted all this junk....

Anyway

Symptoms-
He used a P2P thing and it kept trying to start the program up and connect to internet (luckily its dial-up so he was able to halt it....so it constantly tried to connect to internet. Constant Pop ups....etc

You'd know more if I could post an HJT log....is there anything I can do that will let HJT install, because Macafee won't shut off for me...

ugh

Edited by Caffiene_Powered, 23 August 2006 - 01:12 PM.

[Advertisements]

Is there anyway to get Hijack this on that comp so I can bring a report here for help..

[Caffeine_Powered]

Is there anyway to get Hijack this on that comp so I can bring a report here for help..

[Caffeine_Powered]

Once I get HJT in my comp I can post that but I need your help getting it in....

Edited by Caffiene_Powered, 23 August 2006 - 11:55 AM.

[Caffeine_Powered]

o and I forgot to say what type of comp it is

its an IBM and it runs Windows XP

sry for the multiple posts stuff just pops into my head at random times

Edited by Caffiene_Powered, 23 August 2006 - 01:04 PM.

[andydf]

Hi Caffiene_Powered

Is Mcafee fully up to date as it should no longer detect Hijackthis as a virus.
If mcafee wont shut down, try booting into safe mode and then install Hijackthis.

Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once installed boot into normal windows and run the scan.

Andy

[Caffeine_Powered]

Hi Caffiene_Powered

Is Mcafee fully up to date as it should no longer detect Hijackthis as a virus.
If mcafee wont shut down, try booting into safe mode and then install Hijackthis.

Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once installed boot into normal windows and run the scan.

Andy

ya know its wierd because i went into safe mode to delete everything the 3rd time i did it (i've done it amillion time) and it never occured to me to go into safe mode to install HJT...

My friends comp at the moment is not hooked up to the internet so everything I do is off of disc's and what not....he has dial-up so very little is updated ( I updated windows before I left his house and did an error check)........

I'll do that.....

[Caffeine_Powered]

I installed it in safe mod but when I rebooted the computer kicked it out as a worm....so I just ran it in safe mode

here's the HJT log in safe mode

Logfile of HijackThis v1.99.1
Scan saved at 4:38:54 PM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo.../search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo.../search.asp?si=
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mmbjn.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,whinxmj.exe
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [utownf] C:\WINDOWS\system32\vckfnh.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [rqvxo] C:\WINDOWS\system32\vckfnh.exe reg_run
O4 - HKCU\..\Run: [iomw] C:\PROGRA~1\COMMON~1\iomw\iomwm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\swrialui.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\en6ol1j31.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

[andydf]

Hi Caffiene_Powered

That's a messed up pc you got there. lets see if we can get most of it in one pass

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1.

• Download Brute Force Uninstaller to your C:\
• Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
• Download qoofix.bat (rightclick on this link and choose save as)
• Place qoofix.bat in your C:\BFU - folder. (Important!)
• Doubleclick qooFix.bat, Close all browsers and explorer folders.
• Choose option 1 (Qoolfix autofix) and follow the prompts.
• Please be patient, it will take about five minutes.
• After the PC has restarted please continue as below.

2.
We need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Click This link for further help.

3.
Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

4.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo.../search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo.../search.asp?si=
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mmbjn.exe
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [utownf] C:\WINDOWS\system32\vckfnh.exe reg_run
O4 - HKCU\..\Run: [rqvxo] C:\WINDOWS\system32\vckfnh.exe reg_run
O4 - HKCU\..\Run: [iomw] C:\PROGRA~1\COMMON~1\iomw\iomwm.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\swrialui.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\en6ol1j31.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Viewpoint Toolbar

Please note any other programs that you dont recognize in add/remove in your next response

Please delete these folders using Windows Explorer(if present):

C:\PROGRA~1\COMMON~1\iomw
C:\Program Files\Viewpoint\Viewpoint Toolbar V35

Please delete these files using Windows Explorer(if present):
Use windows search facility if you have trouble finding these files.

C:\WINDOWS\system32\mmbjn.exe
C:\WINDOWS\system32\xeymi.dll
C:\\dfndrff_12.exe
C:\\kybrdff_12.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\system32\swrialui.dll
C:\WINDOWS\system32\en6ol1j31.dll

After that, Reboot.

If you would please, rescan with HijackThis and post a fresh log along with all other logs in this same topic, and let us know how your system's working.

Andy

Edited by andydf, 23 August 2006 - 03:59 PM.

[Caffeine_Powered]

Hi Caffiene_Powered

That's a messed up pc you got there. lets see if we can get most of it in one pass

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1.

• Download Brute Force Uninstaller to your C:\
• Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
• Download qoofix.bat (rightclick on this link and choose save as)
• Place qoofix.bat in your C:\BFU - folder. (Important!)
• Doubleclick qooFix.bat, Close all browsers and explorer folders.
• Choose option 1 (Qoolfix autofix) and follow the prompts.
• Please be patient, it will take about five minutes.
• After the PC has restarted please continue as below.

2.

ha ha yea I know

Alright I got everything onto my friends comp, took the .bat file and put it on floppy and transfered to his comp and placed in folder as you requested..problem is when I double click the only thing that happens is a command prompt pops up only long enough for me to see it flash...no choosing, no restarting I can see...

[andydf]

Hi

Sorry my fault, that is the old tool please delete it and follow the instructions below

Please download Qoofix by Rubber Ducky to your desktop.

• Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
• Close all windows and programs, including internet windows.
• Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
• Click Begin Removal and wait for the scan to finish
• If Qoofix finds an infection, select yes to restart your computer
• You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.

Andy

[Caffeine_Powered]

Hi

Sorry my fault, that is the old tool please delete it and follow the instructions below

Please download Qoofix by Rubber Ducky to your desktop.

• Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
• Close all windows and programs, including internet windows.
• Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
• Click Begin Removal and wait for the scan to finish
• If Qoofix finds an infection, select yes to restart your computer
• You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.

Andy

I'm doing the scan now
but

should I do everything else you said in your first post?

EDIT:
I finished the scan but I'm not gunna paste it in here because all it said was
Nothing was found (Malicious or Qoologic infected) and that some Reg keys may have been removed...

Edited by Caffiene_Powered, 23 August 2006 - 04:50 PM.

[andydf]

Hi Caffiene_Powered

Ok just continue with the other fixes and post the results.

Andy

[Caffeine_Powered]

Click This link for further help.

3.
Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Its not reopening after a minute or even 20 minutes

[andydf]

Hi Caffiene_Powered

We're not having much luck so far

Complete the rest of the fix, once that is done try running Look2Me-Destroyer again.

Andy

[Caffeine_Powered]

Hi Caffiene_Powered

We're not having much luck so far

Complete the rest of the fix, once that is done try running Look2Me-Destroyer again.

Andy

tell me about it

I'll do the rest and post results.....