[subliminalmsgr]

I've used Ad-Aware, but after I restart (and if Ad-Aware doesn't crash), it comes right back. I disabled System Restore, but it still comes back. There is also a process that automatically renames itself with random letters when I close it. Please help!! Thanks!

here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:17:47 PM, on 4/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\cjvkjp.exe
C:\Program Files\sundisk\SandIcon.Exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wuauclt.exe
G:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
G:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\taskmgr.exe
G:\hjt\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SandIcon] C:\Program Files\sundisk\SandIcon.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] G:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [shzkiij] c:\windows\system32\cjvkjp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.4.lnk = G:\Program

Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupd..._site.cab?11027

32477106
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoft.../as5/asinst.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - G:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

[Advertisements]

Are you still looking for help?

Post a new log.

Ron

[RKinner]

Are you still looking for help?

Post a new log.

Ron

[subliminalmsgr]

Yes, thank you. I was following along the "popups and spyware" thread by lilface1. I ran ewido and the report from that is attached at the end of this post. I am still having symptoms of the mouse freezing up for ~5 seconds every ~30 seconds and programs becoming Not Responding. Also, I have not been able to manually copy or move files on my G:\ drive and the Ewido scan became 10 times slower when scanning my G:\ (as opposed to C:\). All of this may mean I have a bad drive and not be malware related, but I'm just letting you know. Thanks.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:11:45 PM, on 4/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\sundisk\SandIcon.Exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
G:\hjt\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SandIcon] C:\Program Files\sundisk\SandIcon.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] G:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.4.lnk = G:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102732477106
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - G:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:48:47 PM, 4/21/2005
+ Report-Checksum: A949C465

+ Date of database: 4/21/2005
+ Version of scan engine: v3.0

+ Duration: 16 min
+ Scanned Files: 32822
+ Speed: 32.87 Files/Second
+ Infected files: 6
+ Removed files: 6
+ Files put in quarantine: 6
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
G:\

+ Scan result:
C:\Documents and Settings\eric j h wilson\Local Settings\Temporary Internet Files\Content.IE5\8PRQVBLI\Bolger[1].dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\auenlkr.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.b -> Cleaned with backup
C:\WINDOWS\system32\exul1.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\__delete_on_reboot__Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup


::Report End

[RKinner]

Looks like Ewido has got most of it for you already. All I see left to Check/Fix Checked are:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

Since Ewido has eaten the bad files for you there are nothing but registry entries to remove and unless there is something hiding from HijackThis cleaning them should leave you with a clean system.

Turn System Restore back on. It's your friend. (AntiVirus companies hate it because it can hold on to viruses in its backups but once you have a clean system it is easy just to toggle it off and on and clean up the backups that way.) Contrary to public opinions it does not automatically restore files that are deleted. You have to tell it to restore to a previous time before it does anything. System File Checker does restore deleted files automatically but it only does it with a select group of files and it is hard for malware to get on its good list.


Ron

[subliminalmsgr]

Ok, thank you Ron, looks like it's all taken care of. I am still having the mouse freeze up for ~5 seconds every ~30 seconds and programs become Not Responding, but now I know it isn't malware doing it...
thanks.

[RKinner]

I suspect you will soon be reinfected if what HijackTHis tells me is correct. You appear to have XP without even Service Pack 1 and your Internet Explorer is also naked.

Make sure the firewall is on before you go on the internet then go straight to http://windowsupdate.microsoft.com. Let it Scan your system then hopefully they will offer you the security updates. They said something about needing XP1 in the very near future just to get updates so do it now! If you have a slow downlink I believe you can order the CDs for a nominal charge. (Or take your computer to a friend's house who has a fast link. We are talking about around 100 megabits of download here. Could take several nights at dialup speed if it even worked.)

You should probably also visit the support site for your PC and see if there are some new drivers available but do the windows stuff first.

After you get updated you can probably get a drive tester from the maker of the hard drive and it will tell you if the drive is sick.

There is also a bug in early XP that sets the drive to PIO and then it runs very slow. To enable DMA mode using the Device Manager

1.
Open Device Manager: Start then rght click on My Computer and select Manage then Device Manager.

2.
Double-click IDE ATA/ATAPI Controllers to display the list of controllers and channels.

3.
Right-click the icon for the channel to which the device is connected, select Properties, and then click the Advanced Settings tab.

4.
In the Current Transfer Mode drop-down box, select DMA if Available if the current setting is "PIO Only."
If the drop-down box already shows "DMA if Available" but the current transfer mode is PIO, then the user must toggle the settings. That is:

• Change the selection from "DMA if available" to PIO only, and click OK.

• Then repeat the steps above to change the selection to DMA if Available.

Ron

[subliminalmsgr]

It prompted me to download Service Pack 2, so I guess that means I already have Service Pack 1.

Service Pack 2 is now installed.

"You should probably also visit the support site for your PC and see if there are some new drivers available but do the windows stuff first."

-My PC was homemade, but I could get drivers for specific components...

I downloaded a diagnostic program, "Data Lifeguard TOOLS" from western digital. It found a problem with the drive, and luckily the warranty hasn't run out, so I put in an exchange request.

Device Manager had all channels on "DMA if available"

It is really strange how these "CPU Usage spikes" in the performance tab of Task Manager come and go...

Well, thanks for all of your help, Ron; I suppose you can call this thread "RESOLVED".