Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please Help me! Pop-ups on desktop [resolved]


  • This topic is locked This topic is locked

#1
Luebeck_Family

Luebeck_Family

    Member

  • Member
  • PipPip
  • 46 posts
My mom woke me up at 5:30 at our computer because AVG popped up with virus warnings. We have pop-ups launching on our desktop and I read it was due to "wrapperouter.exe". We also have warnings of "installer_MARKETING18.exe" and "saie1108.exe" from the AVG virus protection. Please help me fix our computer!!

HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 7:00:49 AM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\fpcy\ccpvfxr.exe
C:\WINDOWS\system32\ffhkrvt\spiba.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\pacis.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\keyd3x40.exe
C:\WINDOWS\system32\twwxmv\jrhmk.exe
C:\WINDOWS\system32\igsnuym\sbaeaim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\irc02nqv.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Documents and Settings\Gateway User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [dcodflxl] c:\windows\system32\dcodflxl.exe
O4 - HKLM\..\Run: [t97X32l] keyd3x40.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitekam32.exe
O4 - HKLM\..\Run: [jrhmk] C:\WINDOWS\system32\twwxmv\jrhmk.exe
O4 - HKLM\..\Run: [spiba] C:\WINDOWS\system32\ffhkrvt\spiba.exe
O4 - HKLM\..\Run: [ccpvfxr] C:\WINDOWS\system32\fpcy\ccpvfxr.exe
O4 - HKLM\..\Run: [sbaeaim] C:\WINDOWS\system32\igsnuym\sbaeaim.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cyo7RSJqh] irc02nqv.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108499467297
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ccpvfxrfpcy - Unknown owner - C:\WINDOWS\system32\fpcy\ccpvfxr.exe
O23 - Service: spibaffhkrvt - Unknown owner - C:\WINDOWS\system32\ffhkrvt\spiba.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi there,

*Uninstall through your add/remove programs the following if present:

WinTools
Toolbar (Websearch Toolbar)
Ebates_MoeMoneyMaker
Media Access

LimeWire <== I suggest you to uninstall it too, because it's bundled with spyware. Read here for more

I also see this in your log:

O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe

So I suppose this is related to http://www.pacimedia.com/eula.html
If I read the License agreement, It says:

THIS DOCUMENT CONTAINS THE LICENSE AGREEMENTS FOR
IBIS, PEOPLEONPAGE, 180, SURFSIDEKICK, EXACT, CLICKSPRING, ADPOWERZONE, DESKTOPTRAFFIC, DIRECT REVENUE


So, I strongly suggest you to uninstall PaciSoft too if it's present in your add/remove programs-list.

When done this...

REBOOT

Download the latest version of Ad-Aware:
http://www.lavasoft....pport/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

* Perform an onlinescan with housecall and/or Etrust

Post back a fresh HijackThis log and I'll take another look.
  • 0

#3
amunra

amunra

    Member

  • Member
  • PipPipPip
  • 112 posts
Just wanted to add don't forget about spybot search and destroy.
  • 0

#4
Luebeck_Family

Luebeck_Family

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Ok, I did what you said. I still get warnings of the following...
C:\WINDOWS\system32\installer_MARKETING18.exe
C:\WINDOWS\system32\wrapperouter.exe
C:\WINDOWS\system32\saie1108.exe
Counter.class
Parser.class
A0000070.exe
A0000085.exe
A0000098.exe
A0000099.exe
A0000114.exe
27.exe
QBAux.exe
QuickBrowser.exe
AutoUpdate.exe

Also, When pop-ups were on the screen before I heard like the noise of a fly coming out of my speaker

A pop-up comes up sometimes about Windows Explorer is shutting down to keep the system safe or something like that

In the corner by the time on the start menu bar I noticed a computer popped up and when I put my mouse over it it said "Web Offer Installation.." and the percentage but I couldn't right-click and stop it

After I restarted from using Ad-Aware it said the follwing right away...

"Windows cannot find 'C:\DOCUME~1\GATEWA~1\LOCALS~1\Temp\djtoprllSO.exe' Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search.

Pop-ups keep popping up after restart and I keep getting those AVG Virus FOUND WARNINGS as mentioned above, most are trojans I think

I did a scan with Housecall and it found 9 infected files; JAVA_BYTEVER.C and then 8 TROJ_DLOADER.** files. How do I delete them? I tried to clean all and rescan but I needed a ticket so I put in my e-mail, got the ticket code, entered it and it said it could not be found. I also tried deleting the files individually within the HouseCall window but it does not work.

Thanks for you help!! Here is the updated log...

Logfile of HijackThis v1.99.1
Scan saved at 10:11:06 AM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\windows\system32\dcodflxl.exe
C:\WINDOWS\system32\mrejl\nqtnttg.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\bxneuddq\eftac.exe
C:\windows\system32\packager.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ijyvroi\jsgf.exe
C:\WINDOWS\system32\igxblh\raatfgid.exe
C:\Program Files\Bpt\bpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\rmvqkj\nuitlq.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dislfobf\vliq.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\shfgfat.exe
C:\WINDOWS\system32\sisutils.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\PROGRA~1\Java\JRE15~1.0_0\bin\java.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Gateway User\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - c:\Program Files\Flen\flen.dll
O2 - BHO: (no name) - {F4AD23A2-357E-7523-77B9-D081C816DD2A} - C:\WINDOWS\system32\mscvsqml\cekhprcn.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [dcodflxl] c:\windows\system32\dcodflxl.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitekam32.exe
O4 - HKLM\..\Run: [jrhmk] C:\WINDOWS\system32\twwxmv\jrhmk.exe
O4 - HKLM\..\Run: [spiba] C:\WINDOWS\system32\ffhkrvt\spiba.exe
O4 - HKLM\..\Run: [ccpvfxr] C:\WINDOWS\system32\fpcy\ccpvfxr.exe
O4 - HKLM\..\Run: [sbaeaim] C:\WINDOWS\system32\igsnuym\sbaeaim.exe
O4 - HKLM\..\Run: [nqtnttg] C:\WINDOWS\system32\mrejl\nqtnttg.exe
O4 - HKLM\..\Run: [nuitlq] C:\WINDOWS\system32\rmvqkj\nuitlq.exe
O4 - HKLM\..\Run: [eftac] C:\WINDOWS\system32\bxneuddq\eftac.exe
O4 - HKLM\..\Run: [rmpjsvd] C:\WINDOWS\system32\vhbmw\rmpjsvd.exe
O4 - HKLM\..\Run: [vliq] C:\WINDOWS\system32\dislfobf\vliq.exe
O4 - HKLM\..\Run: [jsgf] C:\WINDOWS\system32\ijyvroi\jsgf.exe
O4 - HKLM\..\Run: [raatfgid] C:\WINDOWS\system32\igxblh\raatfgid.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\xtvs.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe"
O4 - HKLM\..\Run: [t97X32l] sisutils.exe
O4 - HKLM\..\Run: [skyhn] C:\DOCUME~1\GATEWA~1\LOCALS~1\Temp\eejcmahw.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cyo7RSJqh] shfgfat.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108499467297
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ccpvfxrfpcy - Unknown owner - C:\WINDOWS\system32\fpcy\ccpvfxr.exe
O23 - Service: nuitlqrmvqkj - Unknown owner - C:\WINDOWS\system32\rmvqkj\nuitlq.exe
O23 - Service: spibaffhkrvt - Unknown owner - C:\WINDOWS\system32\ffhkrvt\spiba.exe
O23 - Service: vliqdislfobf - Unknown owner - C:\WINDOWS\system32\dislfobf\vliq.exe



Ok, here is m
  • 0

#5
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi there,

Ok.. let's get rid of them all manually now..
It's better to print out these instructions, because you have to work in safe mode too (without internetconnection), so this page wouldn't be available then.

* Download and install CCleaner
Do not use it yet.

* Please set your system to show
all files; please see here if you're unsure how to do this.

* Download LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - c:\Program Files\Flen\flen.dll
O2 - BHO: (no name) - {F4AD23A2-357E-7523-77B9-D081C816DD2A} - C:\WINDOWS\system32\mscvsqml\cekhprcn.dll
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [dcodflxl] c:\windows\system32\dcodflxl.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitekam32.exe
O4 - HKLM\..\Run: [jrhmk] C:\WINDOWS\system32\twwxmv\jrhmk.exe
O4 - HKLM\..\Run: [spiba] C:\WINDOWS\system32\ffhkrvt\spiba.exe
O4 - HKLM\..\Run: [ccpvfxr] C:\WINDOWS\system32\fpcy\ccpvfxr.exe
O4 - HKLM\..\Run: [sbaeaim] C:\WINDOWS\system32\igsnuym\sbaeaim.exe
O4 - HKLM\..\Run: [nqtnttg] C:\WINDOWS\system32\mrejl\nqtnttg.exe
O4 - HKLM\..\Run: [nuitlq] C:\WINDOWS\system32\rmvqkj\nuitlq.exe
O4 - HKLM\..\Run: [eftac] C:\WINDOWS\system32\bxneuddq\eftac.exe
O4 - HKLM\..\Run: [rmpjsvd] C:\WINDOWS\system32\vhbmw\rmpjsvd.exe
O4 - HKLM\..\Run: [vliq] C:\WINDOWS\system32\dislfobf\vliq.exe
O4 - HKLM\..\Run: [jsgf] C:\WINDOWS\system32\ijyvroi\jsgf.exe
O4 - HKLM\..\Run: [raatfgid] C:\WINDOWS\system32\igxblh\raatfgid.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\xtvs.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe"
O4 - HKLM\..\Run: [t97X32l] sisutils.exe
O4 - HKLM\..\Run: [skyhn] C:\DOCUME~1\GATEWA~1\LOCALS~1\Temp\eejcmahw.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKCU\..\Run: [cyo7RSJqh] shfgfat.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: ccpvfxrfpcy - Unknown owner - C:\WINDOWS\system32\fpcy\ccpvfxr.exe
O23 - Service: nuitlqrmvqkj - Unknown owner - C:\WINDOWS\system32\rmvqkj\nuitlq.exe
O23 - Service: spibaffhkrvt - Unknown owner - C:\WINDOWS\system32\ffhkrvt\spiba.exe
O23 - Service: vliqdislfobf - Unknown owner - C:\WINDOWS\system32\dislfobf\vliq.exe


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


Using Windows Explorer, locate the following folders, and delete them:


C:\WINDOWS\system32\mrejl
C:\WINDOWS\system32\bxneuddq
C:\WINDOWS\system32\ijyvroi
C:\WINDOWS\system32\igxblh
C:\Program Files\Bpt
C:\WINDOWS\system32\rmvqkj
C:\WINDOWS\system32\dislfobf
C:\Program Files\CxtPls
C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\picsvr
c:\Program Files\Flen
C:\WINDOWS\system32\mscvsqml
C:\WINDOWS\system32\twwxmv
C:\WINDOWS\system32\ffhkrvt
C:\WINDOWS\system32\fpcy
C:\WINDOWS\system32\igsnuym
C:\WINDOWS\system32\vhbmw
C:\Program Files\Ebates_MoeMoneyMaker

* Find the following files and delete them:

C:\windows\system32\dcodflxl.exe
C:\WINDOWS\system32\shfgfat.exe
C:\WINDOWS\system32\sisutils.exe
C:\WINDOWS\system32\gah95on6.exe
C:\WINDOWS\system32\pacis.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\system32\xtvs.exe
C:\Program Files\Common Files\Java\bptre.exe
C:\Program Files\Common Files\Java\flencpy.exe

Also search next files and delete them if still present:

C:\WINDOWS\system32\installer_MARKETING18.exe
C:\WINDOWS\system32\wrapperouter.exe
C:\WINDOWS\system32\saie1108.exe
Counter.class
Parser.class
A0000070.exe
A0000085.exe
A0000098.exe
A0000099.exe
A0000114.exe
27.exe
QBAux.exe
QuickBrowser.exe
AutoUpdate.exe


* Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, that is normal.


* Start Ccleaner and click Run Cleaner

* Reboot your system back to normal mode

Run a full adaware scan and spybot scan again and met it delete everything it's finding.

Also, perform an online virusscanner again (housecall) and select the 'auto-delete' option.

Reboot and post back a fresh HijackThis log and I'll take another look.

Edited by miekiemoes, 23 March 2005 - 10:41 AM.

  • 0

#6
Luebeck_Family

Luebeck_Family

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I didn't do the housecall scan, not yet al least, but I thought I should tell you that I got these Virus Warning Pop-ups...

C:\System Volume Information\_restore{D27CF7A1 - D7BB - 4D6E - ABCS - C7CSE96OCD2B}\RP1\A0000070.exe

...A0000098.exe
...A0000099.exe
...A0000114.exe
...A0000200.exe
...A0000202.exe
...A0000204.exe
...A0000236.exe
...A0000237.exe
...A0000238.exe
...A0000239.exe
...A0000241.exe

I also could not find C:\WINDOWS\system32\igsnuym, C:\Program Files\Ebates_MoeMoneyMaker, C:\WINDOWS\system32\xtvs.exe to delete

Here is my HIJACK THIS LOG...

Logfile of HijackThis v1.99.1
Scan saved at 12:11:09 PM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gateway User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [nuitlq] C:\WINDOWS\system32\rmvqkj\nuitlq.exe
O4 - HKLM\..\Run: [vliq] C:\WINDOWS\system32\dislfobf\vliq.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108499467297
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Should I still use the Housecall? Last time I couldn't do anything and it took forever so I did it for nothing!

Thank you so much, You are really helping me!
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
About the items that housecall finds.. Don't worry, we'll handle that later.
These items are present in your systemrestorepoints, so we are going to take care of that when everything else is clean again.

Don't worry about the files/folders you couldn't find either.. that means they are already gone. :-)

Ok..

Check and fix next lines in hijackthis again:

O4 - HKLM\..\Run: [nuitlq] C:\WINDOWS\system32\rmvqkj\nuitlq.exe
O4 - HKLM\..\Run: [vliq] C:\WINDOWS\system32\dislfobf\vliq.exe


Search the next folders and delete them if they are still present:

C:\WINDOWS\system32\rmvqkj
C:\WINDOWS\system32\dislfobf

Reboot and post a new hijackthislog.
  • 0

#8
Luebeck_Family

Luebeck_Family

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Ok, removed those items from HiJack This and the other files were not present

Logfile of HijackThis v1.99.1
Scan saved at 12:59:18 PM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Gateway User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108499467297
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Great!!

Your log looks clean again.

Ok, now about the systemrestorepoints. We are going to flush them.
This will delete all your system restore points and malware that were present in it.
Disabling system restore in XP
Reboot.. and after rebooting, enable it again,
A new systemrestorepoint will be made. A clean one now! :tazz:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you do an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
  • 0

#10
Luebeck_Family

Luebeck_Family

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
THANK YOU SO MUCH!! I WAS SO ANGRY AND NOW MY PC IS BACK TO BEING HAPPY AND HEALTHY! THANK YOU!!!!!
  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help you :tazz:
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request. If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP