Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Still no Luck: Red screen and all


  • This topic is locked This topic is locked

#1
obm

obm

    New Member

  • Member
  • Pip
  • 4 posts
I, ve been reading the following post: http://www.geekstogo...indpost&p=48310

And it seems I may have a similar issue. My wallparer is all red and looks lkike an add for a spyware prog. Can I get rid of this with the above posts recommended way?

Most importantly, this is a work pcv and i remote log into work, which presumably i should not do until this is fixed, right?

Thanks for your help
  • 0

Advertisements


#2
obm

obm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi,

have tried a bunch of remedies on a few of the other posts, but I'm still not getting anywhere. The following is my HJT log:

Thanks for your help!

OBM

Logfile of HijackThis v1.99.1
Scan saved at 1:05:03 AM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\Fast.exe
C:\PROGRA~1\NavNT\NAVRoam.exe
C:\PROGRA~1\MSREMO~1\NetCfgSv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\rconsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\winsvc.exe
C:\Program Files\Reflectent\EdgeSight\EdgeSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\REFLEC~1\EDGESI~1\EdgeTray.exe
C:\Program Files\BUFFALO\ABRECEIVER\ABReceiver.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\Qvp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\userinit.exe
C:\Desktop\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ReaderOnly\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Reflectent IE Helper Object - {C34AFC14-3FF5-4EF0-A935-720AE0621C08} - C:\Program Files\Reflectent\EdgeSight\ZBHook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [OutlookPRF] C:\Program Files\MS Outlook Tools\getexchangeDN.exe msad.ms.com VOID DC=msad,DC=ms,DC=com 389
O4 - HKLM\..\Run: [IBMOnDemand7.1.0.14.msi] wscript.exe "C:\Program Files\Common Files\IBM\OnDemand32\7.1.0.14\MSForcedRepairByReg.vbs
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UsrPrint] C:\Program Files\Common Files\Morgan Stanley Sysadmin\Bin\UsrPrint.exe
O4 - HKLM\..\Run: [UserConfig] C:\Program Files\Common Files\Morgan Stanley Sysadmin\Bin\UserConfXP.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [EdgeSightHelper] C:\PROGRA~1\REFLEC~1\EDGESI~1\EdgeTray.exe -T
O4 - HKLM\..\Run: [ABRECEIVER] "C:\Program Files\BUFFALO\ABRECEIVER\ABReceiver.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Ssr] C:\WINDOWS\Eab.exe
O4 - HKLM\..\Run: [Pdo] C:\WINDOWS\Vor.exe
O4 - HKLM\..\Run: [Sih] C:\WINDOWS\Erh.exe
O4 - HKLM\..\Run: [Iko] C:\WINDOWS\Psb.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Rku] C:\WINDOWS\Doc.exe
O4 - HKLM\..\Run: [Reb] C:\WINDOWS\System32\Qvp.exe
O4 - HKLM\..\Run: [Ddb] C:\WINDOWS\System32\Gjk.exe
O4 - HKLM\..\Run: [Rml] C:\WINDOWS\System32\Fer.exe
O4 - HKLM\..\Run: [Gdf] C:\WINDOWS\Tvo.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\System32\Pjn.exe
O4 - HKLM\..\Run: [Ibq] C:\WINDOWS\System32\Uei.exe
O4 - HKLM\..\Run: [Qjd] C:\WINDOWS\System32\Und.exe
O4 - HKLM\..\Run: [Urc] C:\WINDOWS\Sjj.exe
O4 - HKLM\..\Run: [Udf] C:\WINDOWS\Hlv.exe
O4 - HKLM\..\Run: [Qvi] C:\WINDOWS\System32\Keu.exe
O4 - HKLM\..\Run: [Dba] C:\WINDOWS\Tre.exe
O4 - HKLM\..\Run: [Vcr] C:\WINDOWS\Bit.exe
O4 - HKLM\..\Run: [Rlv] C:\WINDOWS\Aop.exe
O4 - HKLM\..\Run: [Amk] C:\WINDOWS\System32\Hhc.exe
O4 - HKLM\..\Run: [Qdc] C:\WINDOWS\Jsn.exe
O4 - HKLM\..\Run: [Ngo] C:\WINDOWS\Qom.exe
O4 - HKLM\..\Run: [Ent] C:\WINDOWS\System32\Chi.exe
O4 - HKLM\..\Run: [Hfu] C:\WINDOWS\System32\Bmi.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Qju.exe
O4 - HKLM\..\Run: [Thi] C:\WINDOWS\System32\Trc.exe
O4 - HKLM\..\Run: [Frq] C:\WINDOWS\Aom.exe
O4 - HKLM\..\Run: [Nbv] C:\WINDOWS\Dbq.exe
O4 - HKLM\..\Run: [Qeo] C:\WINDOWS\Ncs.exe
O4 - HKLM\..\Run: [Asd] C:\WINDOWS\System32\Iif.exe
O4 - HKLM\..\Run: [Qgs] C:\WINDOWS\System32\Irr.exe
O4 - HKLM\..\Run: [Frh] C:\WINDOWS\System32\Llq.exe
O4 - HKLM\..\Run: [Rtd] C:\WINDOWS\System32\Fsc.exe
O4 - HKLM\..\Run: [Bst] C:\WINDOWS\System32\Mbl.exe
O4 - HKLM\..\Run: [Uom] C:\WINDOWS\Rup.exe
O4 - HKLM\..\Run: [Unm] C:\WINDOWS\Egr.exe
O4 - HKLM\..\Run: [Ior] C:\WINDOWS\System32\Ieq.exe
O4 - HKLM\..\Run: [Vpa] C:\WINDOWS\System32\Dhe.exe
O4 - HKLM\..\Run: [Qar] C:\WINDOWS\System32\Obh.exe
O4 - HKLM\..\Run: [Pkr] C:\WINDOWS\Fiv.exe
O4 - HKLM\..\Run: [Nvi] C:\WINDOWS\Nbo.exe
O4 - HKLM\..\Run: [Itp] C:\WINDOWS\Mbo.exe
O4 - HKLM\..\Run: [Kno] C:\WINDOWS\Obv.exe
O4 - HKLM\..\Run: [Ukp] C:\WINDOWS\System32\Qqo.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Tdg] C:\WINDOWS\Tpp.exe
O4 - HKLM\..\Run: [Vql] C:\WINDOWS\Pko.exe
O4 - HKLM\..\Run: [Aos] C:\WINDOWS\Oni.exe
O4 - HKLM\..\Run: [Kmf] C:\WINDOWS\Onr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ssr] C:\WINDOWS\Eab.exe
O4 - HKCU\..\Run: [Pdo] C:\WINDOWS\Vor.exe
O4 - HKCU\..\Run: [Sih] C:\WINDOWS\Erh.exe
O4 - HKCU\..\Run: [Iko] C:\WINDOWS\Psb.exe
O4 - HKCU\..\Run: [Rku] C:\WINDOWS\Doc.exe
O4 - HKCU\..\Run: [Reb] C:\WINDOWS\System32\Qvp.exe
O4 - HKCU\..\Run: [Ddb] C:\WINDOWS\System32\Gjk.exe
O4 - HKCU\..\Run: [Rml] C:\WINDOWS\System32\Fer.exe
O4 - HKCU\..\Run: [Gdf] C:\WINDOWS\Tvo.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\System32\Pjn.exe
O4 - HKCU\..\Run: [Ibq] C:\WINDOWS\System32\Uei.exe
O4 - HKCU\..\Run: [Qjd] C:\WINDOWS\System32\Und.exe
O4 - HKCU\..\Run: [Urc] C:\WINDOWS\Sjj.exe
O4 - HKCU\..\Run: [Udf] C:\WINDOWS\Hlv.exe
O4 - HKCU\..\Run: [Qvi] C:\WINDOWS\System32\Keu.exe
O4 - HKCU\..\Run: [Dba] C:\WINDOWS\Tre.exe
O4 - HKCU\..\Run: [Vcr] C:\WINDOWS\Bit.exe
O4 - HKCU\..\Run: [Rlv] C:\WINDOWS\Aop.exe
O4 - HKCU\..\Run: [Amk] C:\WINDOWS\System32\Hhc.exe
O4 - HKCU\..\Run: [Qdc] C:\WINDOWS\Jsn.exe
O4 - HKCU\..\Run: [Ngo] C:\WINDOWS\Qom.exe
O4 - HKCU\..\Run: [Ent] C:\WINDOWS\System32\Chi.exe
O4 - HKCU\..\Run: [Hfu] C:\WINDOWS\System32\Bmi.exe
O4 - HKCU\..\Run: [Hhc] C:\WINDOWS\Qju.exe
O4 - HKCU\..\Run: [Thi] C:\WINDOWS\System32\Trc.exe
O4 - HKCU\..\Run: [Frq] C:\WINDOWS\Aom.exe
O4 - HKCU\..\Run: [Nbv] C:\WINDOWS\Dbq.exe
O4 - HKCU\..\Run: [Qeo] C:\WINDOWS\Ncs.exe
O4 - HKCU\..\Run: [Asd] C:\WINDOWS\System32\Iif.exe
O4 - HKCU\..\Run: [Qgs] C:\WINDOWS\System32\Irr.exe
O4 - HKCU\..\Run: [Frh] C:\WINDOWS\System32\Llq.exe
O4 - HKCU\..\Run: [Rtd] C:\WINDOWS\System32\Fsc.exe
O4 - HKCU\..\Run: [Bst] C:\WINDOWS\System32\Mbl.exe
O4 - HKCU\..\Run: [Uom] C:\WINDOWS\Rup.exe
O4 - HKCU\..\Run: [Unm] C:\WINDOWS\Egr.exe
O4 - HKCU\..\Run: [Ior] C:\WINDOWS\System32\Ieq.exe
O4 - HKCU\..\Run: [Vpa] C:\WINDOWS\System32\Dhe.exe
O4 - HKCU\..\Run: [Qar] C:\WINDOWS\System32\Obh.exe
O4 - HKCU\..\Run: [Pkr] C:\WINDOWS\Fiv.exe
O4 - HKCU\..\Run: [Nvi] C:\WINDOWS\Nbo.exe
O4 - HKCU\..\Run: [Itp] C:\WINDOWS\Mbo.exe
O4 - HKCU\..\Run: [Kno] C:\WINDOWS\Obv.exe
O4 - HKCU\..\Run: [Ukp] C:\WINDOWS\System32\Qqo.exe
O4 - HKCU\..\Run: [Tdg] C:\WINDOWS\Tpp.exe
O4 - HKCU\..\Run: [Vql] C:\WINDOWS\Pko.exe
O4 - HKCU\..\Run: [Aos] C:\WINDOWS\Oni.exe
O4 - HKCU\..\Run: [Kmf] C:\WINDOWS\Onr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {071D8412-F55A-4C74-9470-B5BE2CDC968F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {071D8412-F55A-4C74-9470-B5BE2CDC968F} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://today-jp.ms.com/portal/index.jsp?pageID=mstoday_shared_home
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msad.ms.com
O17 - HKLM\Software\..\Telephony: DomainName = msad.ms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{173A1708-E310-43B2-A592-B4C626F3CEFC}: Domain = ms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7335236F-FC8C-40C5-B4FE-F8D934A9542E}: Domain = ms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7335236F-FC8C-40C5-B4FE-F8D934A9542E}: NameServer = 161.144.31.181,161.144.5.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msad.ms.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ms.com,msdwis.com,msad.ms.com,vkm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{173A1708-E310-43B2-A592-B4C626F3CEFC}: Domain = ms.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msad.ms.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ms.com,msdwis.com,msad.ms.com,vkm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{173A1708-E310-43B2-A592-B4C626F3CEFC}: Domain = ms.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ms.com,msdwis.com,msad.ms.com,vkm.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Reflectent EdgeSight Agent (EdgeSight) - Reflectent Software Inc. - C:\Program Files\Reflectent\EdgeSight\EdgeSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NAVRoam.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\MSREMO~1\NetCfgSv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Console (RCONSVC) - Unknown owner - C:\WINDOWS\System32\rconsvc.exe
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe
  • 0

#3
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome obm to Geeks to Go!

Thank you for your patience, the forum is very busy.

Download and Save Spywadfix to your computer from this link:
http://www.thespykil...s/spywadfix.exe.

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below.
If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run.

It is not malicious.
It will open an Input box. Paste this line into the box
C:\WINDOWS\System32\Qvp.exe

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your windows default desktop and context menu functions.
It will restart Explorer.

** Script Does not remove the orphaned run entries.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as posted in my next post.

If hijackthis doesn't start, run it manually.

Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ssr] C:\WINDOWS\Eab.exe
O4 - HKLM\..\Run: [Pdo] C:\WINDOWS\Vor.exe
O4 - HKLM\..\Run: [Sih] C:\WINDOWS\Erh.exe
O4 - HKLM\..\Run: [Iko] C:\WINDOWS\Psb.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Rku] C:\WINDOWS\Doc.exe
O4 - HKLM\..\Run: [Reb] C:\WINDOWS\System32\Qvp.exe
O4 - HKLM\..\Run: [Ddb] C:\WINDOWS\System32\Gjk.exe
O4 - HKLM\..\Run: [Rml] C:\WINDOWS\System32\Fer.exe
O4 - HKLM\..\Run: [Gdf] C:\WINDOWS\Tvo.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\System32\Pjn.exe
O4 - HKLM\..\Run: [Ibq] C:\WINDOWS\System32\Uei.exe
O4 - HKLM\..\Run: [Qjd] C:\WINDOWS\System32\Und.exe
O4 - HKLM\..\Run: [Urc] C:\WINDOWS\Sjj.exe
O4 - HKLM\..\Run: [Udf] C:\WINDOWS\Hlv.exe
O4 - HKLM\..\Run: [Qvi] C:\WINDOWS\System32\Keu.exe
O4 - HKLM\..\Run: [Dba] C:\WINDOWS\Tre.exe
O4 - HKLM\..\Run: [Vcr] C:\WINDOWS\Bit.exe
O4 - HKLM\..\Run: [Rlv] C:\WINDOWS\Aop.exe
O4 - HKLM\..\Run: [Amk] C:\WINDOWS\System32\Hhc.exe
O4 - HKLM\..\Run: [Qdc] C:\WINDOWS\Jsn.exe
O4 - HKLM\..\Run: [Ngo] C:\WINDOWS\Qom.exe
O4 - HKLM\..\Run: [Ent] C:\WINDOWS\System32\Chi.exe
O4 - HKLM\..\Run: [Hfu] C:\WINDOWS\System32\Bmi.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Qju.exe
O4 - HKLM\..\Run: [Thi] C:\WINDOWS\System32\Trc.exe
O4 - HKLM\..\Run: [Frq] C:\WINDOWS\Aom.exe
O4 - HKLM\..\Run: [Nbv] C:\WINDOWS\Dbq.exe
O4 - HKLM\..\Run: [Qeo] C:\WINDOWS\Ncs.exe
O4 - HKLM\..\Run: [Asd] C:\WINDOWS\System32\Iif.exe
O4 - HKLM\..\Run: [Qgs] C:\WINDOWS\System32\Irr.exe
O4 - HKLM\..\Run: [Frh] C:\WINDOWS\System32\Llq.exe
O4 - HKLM\..\Run: [Rtd] C:\WINDOWS\System32\Fsc.exe
O4 - HKLM\..\Run: [Bst] C:\WINDOWS\System32\Mbl.exe
O4 - HKLM\..\Run: [Uom] C:\WINDOWS\Rup.exe
O4 - HKLM\..\Run: [Unm] C:\WINDOWS\Egr.exe
O4 - HKLM\..\Run: [Ior] C:\WINDOWS\System32\Ieq.exe
O4 - HKLM\..\Run: [Vpa] C:\WINDOWS\System32\Dhe.exe
O4 - HKLM\..\Run: [Qar] C:\WINDOWS\System32\Obh.exe
O4 - HKLM\..\Run: [Pkr] C:\WINDOWS\Fiv.exe
O4 - HKLM\..\Run: [Nvi] C:\WINDOWS\Nbo.exe
O4 - HKLM\..\Run: [Itp] C:\WINDOWS\Mbo.exe
O4 - HKLM\..\Run: [Kno] C:\WINDOWS\Obv.exe
O4 - HKLM\..\Run: [Ukp] C:\WINDOWS\System32\Qqo.exe
O4 - HKLM\..\Run: [Tdg] C:\WINDOWS\Tpp.exe
O4 - HKLM\..\Run: [Vql] C:\WINDOWS\Pko.exe
O4 - HKLM\..\Run: [Aos] C:\WINDOWS\Oni.exe
O4 - HKLM\..\Run: [Kmf] C:\WINDOWS\Onr.exe
O4 - HKCU\..\Run: [Ssr] C:\WINDOWS\Eab.exe
O4 - HKCU\..\Run: [Pdo] C:\WINDOWS\Vor.exe
O4 - HKCU\..\Run: [Sih] C:\WINDOWS\Erh.exe
O4 - HKCU\..\Run: [Iko] C:\WINDOWS\Psb.exe
O4 - HKCU\..\Run: [Rku] C:\WINDOWS\Doc.exe
O4 - HKCU\..\Run: [Reb] C:\WINDOWS\System32\Qvp.exe
O4 - HKCU\..\Run: [Ddb] C:\WINDOWS\System32\Gjk.exe
O4 - HKCU\..\Run: [Rml] C:\WINDOWS\System32\Fer.exe
O4 - HKCU\..\Run: [Gdf] C:\WINDOWS\Tvo.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\System32\Pjn.exe
O4 - HKCU\..\Run: [Ibq] C:\WINDOWS\System32\Uei.exe
O4 - HKCU\..\Run: [Qjd] C:\WINDOWS\System32\Und.exe
O4 - HKCU\..\Run: [Urc] C:\WINDOWS\Sjj.exe
O4 - HKCU\..\Run: [Udf] C:\WINDOWS\Hlv.exe
O4 - HKCU\..\Run: [Qvi] C:\WINDOWS\System32\Keu.exe
O4 - HKCU\..\Run: [Dba] C:\WINDOWS\Tre.exe
O4 - HKCU\..\Run: [Vcr] C:\WINDOWS\Bit.exe
O4 - HKCU\..\Run: [Rlv] C:\WINDOWS\Aop.exe
O4 - HKCU\..\Run: [Amk] C:\WINDOWS\System32\Hhc.exe
O4 - HKCU\..\Run: [Qdc] C:\WINDOWS\Jsn.exe
O4 - HKCU\..\Run: [Ngo] C:\WINDOWS\Qom.exe
O4 - HKCU\..\Run: [Ent] C:\WINDOWS\System32\Chi.exe
O4 - HKCU\..\Run: [Hfu] C:\WINDOWS\System32\Bmi.exe
O4 - HKCU\..\Run: [Hhc] C:\WINDOWS\Qju.exe
O4 - HKCU\..\Run: [Thi] C:\WINDOWS\System32\Trc.exe
O4 - HKCU\..\Run: [Frq] C:\WINDOWS\Aom.exe
O4 - HKCU\..\Run: [Nbv] C:\WINDOWS\Dbq.exe
O4 - HKCU\..\Run: [Qeo] C:\WINDOWS\Ncs.exe
O4 - HKCU\..\Run: [Asd] C:\WINDOWS\System32\Iif.exe
O4 - HKCU\..\Run: [Qgs] C:\WINDOWS\System32\Irr.exe
O4 - HKCU\..\Run: [Frh] C:\WINDOWS\System32\Llq.exe
O4 - HKCU\..\Run: [Rtd] C:\WINDOWS\System32\Fsc.exe
O4 - HKCU\..\Run: [Bst] C:\WINDOWS\System32\Mbl.exe
O4 - HKCU\..\Run: [Uom] C:\WINDOWS\Rup.exe
O4 - HKCU\..\Run: [Unm] C:\WINDOWS\Egr.exe
O4 - HKCU\..\Run: [Ior] C:\WINDOWS\System32\Ieq.exe
O4 - HKCU\..\Run: [Vpa] C:\WINDOWS\System32\Dhe.exe
O4 - HKCU\..\Run: [Qar] C:\WINDOWS\System32\Obh.exe
O4 - HKCU\..\Run: [Pkr] C:\WINDOWS\Fiv.exe
O4 - HKCU\..\Run: [Nvi] C:\WINDOWS\Nbo.exe
O4 - HKCU\..\Run: [Itp] C:\WINDOWS\Mbo.exe
O4 - HKCU\..\Run: [Kno] C:\WINDOWS\Obv.exe
O4 - HKCU\..\Run: [Ukp] C:\WINDOWS\System32\Qqo.exe
O4 - HKCU\..\Run: [Tdg] C:\WINDOWS\Tpp.exe
O4 - HKCU\..\Run: [Vql] C:\WINDOWS\Pko.exe
O4 - HKCU\..\Run: [Aos] C:\WINDOWS\Oni.exe
O4 - HKCU\..\Run: [Kmf] C:\WINDOWS\Onr.exe
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe

Click on Fix Checked when finished and exit HijackThis

--------------------------

When finished, post the contents of Spywad.txt and a new Hijackthis log.

If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Folder after you have cleaned up all other User Profiles on that system.


Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run hijackthis and remove the entries as directed.

You will need to do this step for every user account

To reset your wallpaper, open Display Properties > Desktop Tab. Choose a Wallpaper and apply. Close Display Properties. To see the change, click on the desktop and press F5.

Hope to hear from you soon.
  • 0

#4
obm

obm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi G212R4,

Appreciate your assitance. I can understand you guys being busy...

Here is the text file from Spywad:

4/17/2005 11:10:28 AM
C:\WINDOWS\system32\Bmi.exe
C:\WINDOWS\system32\Chi.exe
C:\WINDOWS\system32\Dhe.exe
C:\WINDOWS\system32\Fer.exe
C:\WINDOWS\system32\Fsc.exe
C:\WINDOWS\system32\Gjk.exe
C:\WINDOWS\system32\Hhc.exe
C:\WINDOWS\system32\Ieq.exe
C:\WINDOWS\system32\Iif.exe
C:\WINDOWS\system32\Irr.exe
C:\WINDOWS\system32\Keu.exe
C:\WINDOWS\system32\Llq.exe
C:\WINDOWS\system32\Mbl.exe
C:\WINDOWS\system32\Obh.exe
C:\WINDOWS\system32\Pjn.exe
C:\WINDOWS\system32\Qqo.exe
C:\WINDOWS\system32\Qvp.exe
C:\WINDOWS\system32\Trc.exe
C:\WINDOWS\system32\Uei.exe
C:\WINDOWS\system32\Und.exe

And the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:29:21 AM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\Fast.exe
C:\PROGRA~1\NavNT\NAVRoam.exe
C:\PROGRA~1\MSREMO~1\NetCfgSv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\rconsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\winsvc.exe
C:\Program Files\Reflectent\EdgeSight\EdgeSvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\REFLEC~1\EDGESI~1\EdgeTray.exe
C:\Program Files\BUFFALO\ABRECEIVER\ABReceiver.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.exe
C:\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ReaderOnly\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Reflectent IE Helper Object - {C34AFC14-3FF5-4EF0-A935-720AE0621C08} - C:\Program Files\Reflectent\EdgeSight\ZBHook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [OutlookPRF] C:\Program Files\MS Outlook Tools\getexchangeDN.exe msad.ms.com VOID DC=msad,DC=ms,DC=com 389
O4 - HKLM\..\Run: [IBMOnDemand7.1.0.14.msi] wscript.exe "C:\Program Files\Common Files\IBM\OnDemand32\7.1.0.14\MSForcedRepairByReg.vbs
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UsrPrint] C:\Program Files\Common Files\Morgan Stanley Sysadmin\Bin\UsrPrint.exe
O4 - HKLM\..\Run: [UserConfig] C:\Program Files\Common Files\Morgan Stanley Sysadmin\Bin\UserConfXP.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [EdgeSightHelper] C:\PROGRA~1\REFLEC~1\EDGESI~1\EdgeTray.exe -T
O4 - HKLM\..\Run: [ABRECEIVER] "C:\Program Files\BUFFALO\ABRECEIVER\ABReceiver.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {071D8412-F55A-4C74-9470-B5BE2CDC968F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {071D8412-F55A-4C74-9470-B5BE2CDC968F} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://today-jp.ms.com/portal/index.jsp?pageID=mstoday_shared_home
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msad.ms.com
O17 - HKLM\Software\..\Telephony: DomainName = msad.ms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{173A1708-E310-43B2-A592-B4C626F3CEFC}: Domain = ms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7335236F-FC8C-40C5-B4FE-F8D934A9542E}: Domain = ms.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7335236F-FC8C-40C5-B4FE-F8D934A9542E}: NameServer = 161.144.31.181,161.144.5.31
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msad.ms.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ms.com,msdwis.com,msad.ms.com,vkm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{173A1708-E310-43B2-A592-B4C626F3CEFC}: Domain = ms.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msad.ms.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ms.com,msdwis.com,msad.ms.com,vkm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{173A1708-E310-43B2-A592-B4C626F3CEFC}: Domain = ms.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ms.com,msdwis.com,msad.ms.com,vkm.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Reflectent EdgeSight Agent (EdgeSight) - Reflectent Software Inc. - C:\Program Files\Reflectent\EdgeSight\EdgeSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NAVRoam.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\MSREMO~1\NetCfgSv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Console (RCONSVC) - Unknown owner - C:\WINDOWS\System32\rconsvc.exe
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe

Was able to change the desktop setting and can right click, so looks to be in good shape so far!!!

Awaiting further instructions.

OBM
  • 0

#5
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Looks better from this end too.

Still some work to do.

Open HijackThis
Close all programs leaving only HijackThis running.

***

Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’:
winsvc.exe
press ‘back’ and 'scan'

***

Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [IBMOnDemand7.1.0.14.msi] wscript.exe "C:\Program Files\Common Files\IBM\OnDemand32\7.1.0.14\MSForcedRepairByReg.vbs
I'm not sure about this one, looks as if it's repairing the Registry

O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe

Click on Fix Checked when finished and exit HijackThis.

***

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Run Killbox (doubleclick Killbox.exe).

Click the radio button that says Delete a file on reboot. For the file in the box, paste it into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say Yes.
C:\WINDOWS\System32\winsvc.exe
Let the system reboot into safe mode.

****as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
***

Open HijackThis again.
Go to misc tools
click the Delete an NT Sevice button.
Paste in ¸updater
and click OK.
Reboot the system.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Reboot the system again. Post back here in this topic with a fresh log using HijackThis.
Please let me know what the online scanners found and could not delete.


EDIT:
No reply was posted for more than two weeks.

This topic is now closed. If you are the topicstarter and still need assistance, please send me a PM.

Edited by g2i2r4, 05 May 2005 - 10:22 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP