Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

problem wit the edmond.exe[RESOLVED]

Started by windrider72 , Apr 16 2005 12:16 PM

This topic is locked

#1
windrider72

Posted 16 April 2005 - 12:16 PM

New Member

Member
7 posts

:help: Alright... im seeming to have the same problem wit the edmond.exe file virus or wahtever it is.. i do not have the hijackthis virus thing but i do have Symantec Antivirus and this is wat it showed me.....

NOTICE: A virus has been detected on your computer. The file: C:\WINDOWS\isrvs\edmond.exe was automatically Clean failed : Delete failed : Access denied.

Please call the Help Desk at ********** if the file was not automatically cleaned.

Virus Name: Threat: Trojan Horse
Computer: *******1
User: ****
*just tryin to keep safe

but i went to a couple websites that told me how to get rid of it but even when i try and delete it it will not go away..UGGH ..im thinkin bout throwin this computer out the window...!!

please help!!

#2
windrider72

Posted 22 April 2005 - 09:35 PM

New Member

Topic Starter
Member
7 posts

oooo k....well i guess alot of people have looked at this an have NOT said anything.....really i need some help!!! please if you know anything about computers .....just write SOMETHING!! lol thanks

josh

#3
CarpeDiem

Posted 23 April 2005 - 03:24 PM

New Member

Member
3 posts

oooo k....well i guess alot of people have looked at this an have NOT said anything.....really i need some help!!! please if you know anything about computers .....just write SOMETHING!! lol thanks

josh

lol i got the same problem as you..... since about 2-3 i'm tring to fix it....

#4
ScHwErV

Posted 23 April 2005 - 08:10 PM

Member 5k

Retired Staff
21,285 posts

CarpeDiem

Please dont post in other peoples threads. This could cause us to miss it. Please be patient, someone will be with you shortly.

windrider72

Hello and welcome to Geeks To Go.

Please read this post and follow the instructions there.

In order to get a better idea of whats happening with your computer:

Please download the latest version of HiJackThis from either Site 1 or Site 2
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Do a system scan and save a logfile"
When the scan is finished, it will ask you to save the log. Just save it anywhere that you will remember like your desktop.
After you save it, the log will open in notepad. In notepad, press Ctrl-A to Select All, and copy its contents in a reply to this post.
Most of what it lists will be harmless or even essential
Don't Fix Anything Yet

Good Luck

ScHwErV

#5
windrider72

Posted 26 April 2005 - 09:01 AM

New Member

Topic Starter
Member
7 posts

alright here you go..

Logfile of HijackThis v1.99.1
Scan saved at 9:58:13 AM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\X1002142005.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\vpvakv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Josh\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2sea...sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [rtbcxees] C:\WINDOWS\xmsqbdxa.exe
O4 - HKLM\..\Run: [MXEPAKUCM] C:\WINDOWS\MXEPAKUCM.exe
O4 - HKLM\..\Run: [MWEO] C:\WINDOWS\MWEO.exe
O4 - HKLM\..\Run: [JUBM] C:\WINDOWS\JUBM.exe
O4 - HKLM\..\Run: [JTBO] C:\WINDOWS\JTBO.exe
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\uagnek.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\system32\X1002142005.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Josh\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [djxbnj] c:\windows\system32\djxbnj.exe
O4 - HKLM\..\Run: [AutoLoaderv0x21aOTaPPV] "C:\WINDOWS\system32\vsstwiz.exe" /HideDir /HideUninstall /PC="CP.DEF2" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AutoLoaderv0xK1aOTaPPV] "C:\WINDOWS\system32\colmaori.exe"
O4 - HKLM\..\Run: [v7Ek3mT] colmaori.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\appsetup.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vpvakv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZCxdm231YYUS
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AE3DD25-DAF9-4EF1-9251-83CAAB95F9DF}: NameServer = 12.102.244.2 204.127.129.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{3AE3DD25-DAF9-4EF1-9251-83CAAB95F9DF}: NameServer = 12.102.244.2 204.127.129.4
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O21 - SSODL: NTDBGTOOL - {934B0500-F563-48A6-9353-E57BCB61AE76} - C:\WINDOWS\system32\dssercp.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#6
ScHwErV

Posted 26 April 2005 - 11:27 AM

Member 5k

Retired Staff
21,285 posts

Lets start out with some general scans and see if we cant clean things up a little.

Please download Spybot Search & Destroy and AdAware.

Follow all the instructions on this website to run a scan with both of these softwares.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

Good Luck

ScHwErV

#7
windrider72

Posted 01 May 2005 - 12:22 AM

New Member

Topic Starter
Member
7 posts

heres the hijack this log...
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Elements 2.0
Adobe Reader 6.0.1
AOL Instant Messenger
BCM V.92 56K Modem
Britannica Ready Reference
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss REBEL 300D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities File Viewer Utility 1.3
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Classic PhoneTools
ClearStream Accelerator
Copernic Desktop Search
Dell Movie Studio Diagnostics
Dell ResourceCD
Discover Lindal (remove only)
Display Utility
Easy CD Creator 5 Basic
EmpirePoker
GT Ripple
HijackThis 1.99.1
IGC V1
IMwire
InetDctr
iRiver Manager
Kaspersky Anti-Virus Web Scanner
LiveUpdate 2.0 (Symantec Corporation)
Lotus Notes
Macromedia Shockwave Player
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Data Access Components KB870669
Microsoft Encarta 98 Encyclopedia
Microsoft Office 2000 Premium
Microsoft Plus! Digital Media Edition
My Web Search (Cursor Mania)
MyDVD
Nortel Networks Contivity VPN Client
NotationMachine Demo
NVIDIA Windows 2000/XP Display Drivers
Polar Golfer from AIM (remove only)
PowerDVD
Quicken 2002 New User Edition
QuickTime
RealArcade
Savings Bond Wizard
Sid Meier's SimGolf
SimCity 3000
Sound Blaster Live!
Spybot - Search & Destroy 1.2
Symantec AntiVirus
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual Element FX
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Windsurfing Screen Saver

an the kaspersky virus search is finding viruses.... like 31 now but its ony 9% done an its been like an hour an a half so im gona quit out on that for now..
but lately ive been getting pop ups alllll the time...its never been this bad... i can hardly get anything done..... im pretty sure its because the firewall got taken down from one of the viruses or sumthing but when i try to turn it back on...a box pops up an says..due to an unidentified problem, windows cannnot display windows firewall settings....

can hardly take it anymore...but thanks for all the help so far

ill try to get the virus scan list to u

later,
josh

#8
ScHwErV

Posted 01 May 2005 - 08:42 AM

Member 5k

Retired Staff
21,285 posts

If the KAV scan is finding so much stuff, you will definately want to let that complete. Even if you have to run it overnight. It is a very powerful scanner with great definitions.

Also when you post back, I will need a normal HiJackThis log.

Dont worry, we will get this.

ScHwErV

#9
windrider72

Posted 05 May 2005 - 09:17 PM

New Member

Topic Starter
Member
7 posts

k heres the hijackthis normal log
Logfile of HijackThis v1.99.1
Scan saved at 10:03:46 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\X1002142005.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\vpvakv.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\Zzhpsb.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\windows\system32\epimur.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\wowtsn32.exe
C:\WINDOWS\system32\wsomans.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Josh\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2sea...sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [rtbcxees] C:\WINDOWS\xmsqbdxa.exe
O4 - HKLM\..\Run: [MXEPAKUCM] C:\WINDOWS\MXEPAKUCM.exe
O4 - HKLM\..\Run: [MWEO] C:\WINDOWS\MWEO.exe
O4 - HKLM\..\Run: [JUBM] C:\WINDOWS\JUBM.exe
O4 - HKLM\..\Run: [JTBO] C:\WINDOWS\JTBO.exe
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\uagnek.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\system32\X1002142005.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Josh\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [djxbnj] c:\windows\system32\djxbnj.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vpvakv.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteryx32.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Zzhpsb.exe
O4 - HKLM\..\Run: [gowiim] c:\windows\system32\epimur.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [G3] C:\WINDOWS\system32\GSMedia3.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ewxqRgf7l] wowtsn32.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZCxdm231YYUS
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AE3DD25-DAF9-4EF1-9251-83CAAB95F9DF}: NameServer = 12.102.244.2 204.127.129.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{3AE3DD25-DAF9-4EF1-9251-83CAAB95F9DF}: NameServer = 12.102.244.2 204.127.129.4
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\hr4s05h7e.dll
O21 - SSODL: NTDBGTOOL - {934B0500-F563-48A6-9353-E57BCB61AE76} - C:\WINDOWS\system32\dssercp.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

......and the other one again

Adobe Acrobat 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Elements 2.0
Adobe Reader 6.0.1
AOL Instant Messenger
BCM V.92 56K Modem
Britannica Ready Reference
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss REBEL 300D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities File Viewer Utility 1.3
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Classic PhoneTools
ClearStream Accelerator
Dell Movie Studio Diagnostics
Dell ResourceCD
D-helper Web Driver
Display Utility
Easy CD Creator 5 Basic
EmpirePoker
GT Ripple
HijackThis 1.99.1
IMwire
InetDctr
Instant Access
iRiver Manager
Kaspersky Anti-Virus Web Scanner
LiveUpdate 2.0 (Symantec Corporation)
Lotus Notes
Macromedia Shockwave Player
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Encarta 98 Encyclopedia
Microsoft Office 2000 Premium
Microsoft Plus! Digital Media Edition
MyDVD
Nortel Networks Contivity VPN Client
NotationMachine Demo
NVIDIA Windows 2000/XP Display Drivers
Polar Golfer from AIM (remove only)
PowerDVD
QuickTime
RealArcade
Savings Bond Wizard
Sid Meier's SimGolf
SimCity 3000
Sound Blaster Live!
Spybot - Search & Destroy 1.3
SpywareBlaster v3.2
Symantec AntiVirus
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual Element FX
Win-dh
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Windsurfing Screen Saver

alright.. well sence i have dialup internet connection, the online virus scan wasnt an option. though a couple days ago, i asked my neibor to come over to try and help out.. long story short... i belive we got rid of the edmond virus...(symantec antivirus was able to detect and delete it)... buuuuuuut there still HAS to be some virus or spyware in this hunk of junk that my, spybot S&D, symantec antivirus, spywareblaster, microsoft antispyware has not been able to find... or keep away. also the firewall settings are still unreachable so i still cant get it working.

thanks again....

#10
ScHwErV

Posted 06 May 2005 - 05:19 AM

Member 5k

Retired Staff
21,285 posts

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan, let it fix everything that it asks about. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

ScHwErV

#11
windrider72

Posted 08 May 2005 - 04:52 PM

New Member

Topic Starter
Member
7 posts

i did all that was asked... and it all worked untill the end of the scan.. a windows message popped up and exited out of the scanner... then, out of safe mode, when i went back in to ewido and tryed to scan again.. the same thing happened. i looked through the quarantine, there were many files that were infected. i wasnt able to copy that list but i got all the rest of copyable things...lol
---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 12:52:45 AM, 5/8/2005
+ Report-Checksum: FB422B96

Reg\HKLM\Run BPT "C:\Program Files\Bpt\bpt.exe"
Reg\HKLM\Run ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Reg\HKLM\Run diagent "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
Reg\HKLM\Run UpdReg C:\WINDOWS\UpdReg.EXE
Reg\HKLM\Run AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Reg\HKLM\Run NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Reg\HKLM\Run rtbcxees C:\WINDOWS\xmsqbdxa.exe
Reg\HKLM\Run MWEO C:\WINDOWS\MWEO.exe
Reg\HKLM\Run MXEPAKUCM C:\WINDOWS\MXEPAKUCM.exe
Reg\HKLM\Run JTBO C:\WINDOWS\JTBO.exe
Reg\HKLM\Run JUBM C:\WINDOWS\JUBM.exe
Reg\HKLM\Run t C:\WINDOWS\System32\uagnek.exe
Reg\HKLM\Run Antivirus C:\WINDOWS\av.exe
Reg\HKLM\Run BCMSMMSG BCMSMMSG.exe
Reg\HKLM\Run ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run vptray C:\PROGRA~1\SYMANT~1\VPTray.exe
Reg\HKLM\Run Visual Element Fx C:\WINDOWS\system32\X1002142005.exe
Reg\HKLM\Run Windows Logon Procedure SVCHOSTA.EXE
Reg\HKLM\Run cfgmgr51 RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
Reg\HKLM\Run DI2 "C:\DOCUME~1\Josh\LOCALS~1\Temp\27.exe\27.exe"
Reg\HKLM\Run djxbnj c:\windows\system32\djxbnj.exe
Reg\HKLM\Run gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Reg\HKLM\Run jqzruepk c:\windows\system32\jqzruepk.exe -start
Reg\HKLM\Run G3 C:\WINDOWS\system32\GSMedia3.exe
Reg\HKCU\Run MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Reg\HKCU\Run NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
Reg\HKCU\Run ewxqRgf7l wowtsn32.exe
Reg\HKCU\Run Instant Access rundll32.exe EGDACCESS_1058.dll,InstantAccess
Shell\CommonStartup Adobe Gamma Loader.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
Shell\CommonStartup Microsoft Office.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Shell\CommonStartup Symantec Fax Starter Edition Port.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk

i was able to scan the memory successfully

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:54:05 AM, 5/8/2005
+ Report-Checksum: 2CCFD093

+ Date of database: 5/8/2005
+ Version of scan engine: v3.0

+ Duration: 26 s
+ Scanned Files: 9
+ Speed: 0.34 Files/Second
+ Infected files: 3
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 3

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
Memory

+ Scan result:
C:\WINDOWS\system32\hrl2053oe.dll / PID: 240 -> Spyware.Look2Me.ab -> Error during cleaning
C:\WINDOWS\system32\iertrmgr.dll / PID: 768 -> Spyware.Look2Me.ab -> Error during cleaning
C:\WINDOWS\system32\iertrmgr.dll / PID: 844 -> Spyware.Look2Me.ab -> Error during cleaning

::Report End

---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 5:20:59 PM, 5/8/2005
+ Report-Checksum: 69A48FF9

0: System Process
4: System Process
404: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
428: System Process
460: C:\WINDOWS\System32\MsPMSPSv.exe
480: C:\Program Files\ewido\security suite\ewidoguard.exe
604: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
736: C:\WINDOWS\Explorer.EXE
892: \SystemRoot\System32\smss.exe
944: System Process
968: \??\C:\WINDOWS\system32\winlogon.exe
1016: C:\WINDOWS\system32\services.exe
1028: C:\WINDOWS\system32\lsass.exe
1192: C:\WINDOWS\system32\svchost.exe
1240: System Process
1364: C:\WINDOWS\System32\svchost.exe
1400: C:\WINDOWS\system32\rundll32.exe
1444: System Process
1560: System Process
1708: C:\WINDOWS\system32\spoolsv.exe
1800: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1820: C:\WINDOWS\System32\CTsvcCDA.exe
1836: C:\Program Files\Symantec AntiVirus\DefWatch.exe
1872: C:\Program Files\ewido\security suite\ewidoctrl.exe
1948: C:\WINDOWS\System32\nvsvc32.exe
1964: C:\Program Files\Symantec AntiVirus\SavRoam.exe
2036: C:\WINDOWS\System32\svchost.exe
2336: C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
2424: C:\Program Files\Microsoft Office\Office\WINWORD.EXE
2588: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
2604: C:\WINDOWS\BCMSMMSG.exe
2628: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
2636: C:\Program Files\QuickTime\qttask.exe
2656: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2692: C:\PROGRA~1\SYMANT~1\VPTray.exe
2704: C:\WINDOWS\system32\X1002142005.exe
2852: C:\WINDOWS\system32\wowtsn32.exe
2968: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
3120: C:\WINDOWS\system32\RUNDLL32.EXE
3204: C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
3328: C:\WINDOWS\msagent\AgentSvr.exe
3448: C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
3488: C:\Program Files\Messenger\msmsgs.exe
3808: C:\Program Files\Microsoft Office\Office\WINWORD.EXE
4088: C:\Program Files\ewido\security suite\securitysuite.exe

and heres the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:55:39 AM, on 5/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Josh\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2sea...sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [rtbcxees] C:\WINDOWS\xmsqbdxa.exe
O4 - HKLM\..\Run: [MXEPAKUCM] C:\WINDOWS\MXEPAKUCM.exe
O4 - HKLM\..\Run: [MWEO] C:\WINDOWS\MWEO.exe
O4 - HKLM\..\Run: [JUBM] C:\WINDOWS\JUBM.exe
O4 - HKLM\..\Run: [JTBO] C:\WINDOWS\JTBO.exe
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\uagnek.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\system32\X1002142005.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Josh\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [djxbnj] c:\windows\system32\djxbnj.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [jqzruepk] c:\windows\system32\jqzruepk.exe -start
O4 - HKLM\..\Run: [G3] C:\WINDOWS\system32\GSMedia3.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ewxqRgf7l] wowtsn32.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZCxdm231YYUS
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\cffgnt.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\hrl2053oe.dll
O21 - SSODL: NTDBGTOOL - {934B0500-F563-48A6-9353-E57BCB61AE76} - C:\WINDOWS\system32\dssercp.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

im still getting the pop ups ... and the firewall is still down and unreachable

its getting better though!! thanks

#12
ScHwErV

Posted 09 May 2005 - 07:59 AM

Member 5k

Retired Staff
21,285 posts

We still have some work to do.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2sea...sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [rtbcxees] C:\WINDOWS\xmsqbdxa.exe
O4 - HKLM\..\Run: [MXEPAKUCM] C:\WINDOWS\MXEPAKUCM.exe
O4 - HKLM\..\Run: [MWEO] C:\WINDOWS\MWEO.exe
O4 - HKLM\..\Run: [JUBM] C:\WINDOWS\JUBM.exe
O4 - HKLM\..\Run: [JTBO] C:\WINDOWS\JTBO.exe
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\uagnek.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\system32\X1002142005.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Josh\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [djxbnj] c:\windows\system32\djxbnj.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [jqzruepk] c:\windows\system32\jqzruepk.exe -start
O4 - HKLM\..\Run: [G3] C:\WINDOWS\system32\GSMedia3.exe
O4 - HKCU\..\Run: [ewxqRgf7l] wowtsn32.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZCxdm231YYUS
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\cffgnt.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Ebates_MoeMoneyMaker

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\xmsqbdxa.exe
C:\WINDOWS\MXEPAKUCM.exe
C:\WINDOWS\MWEO.exe
C:\WINDOWS\JUBM.exe
C:\WINDOWS\JTBO.exe
C:\WINDOWS\System32\uagnek.exe
C:\WINDOWS\av.exe
C:\WINDOWS\system32\X1002142005.exe
C:\WINDOWS\system32\SVCHOSTA.EXE
C:\Program Files\Bpt\bpt.exe
C:\DOCUME~1\Josh\LOCALS~1\Temp\27.exe\27.exe
c:\windows\system32\djxbnj.exe
C:\WINDOWS\cfgmgr51.dll,DllRun
c:\windows\system32\jqzruepk.exe -start
C:\WINDOWS\system32\GSMedia3.exe
C:\WINDOWS\system32\wowtsn32.exe

After that, Reboot.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

ScHwErV

#13
windrider72

Posted 15 May 2005 - 05:01 PM

New Member

Topic Starter
Member
7 posts

well thanks ScHwErV for all your help these last couple months... but i just didnt want to deal w/ it anymore so i got my neighbor over here to help me....he took it in to his work an got all the viruses/spyware out and rebooted the firewall... well really we rebooted the whole system.... idk but its all better now... so i wont be writing back w/ any more questions.. at least for a while..... thank you so much again for your time!!
talk to you later... hopefully not....lol
josh

#14
ScHwErV

Posted 16 May 2005 - 06:48 AM

Member 5k

Retired Staff
21,285 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.