Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Just need help with malware... [CLOSED]

Started by happytoxin , Apr 25 2005 06:10 PM

  • This topic is locked This topic is locked

#1
happytoxin
Posted 25 April 2005 - 06:10 PM

happytoxin

    New Member

  • Member
  • Pip
  • 7 posts
Malware is taking over my computer. :\ It's bad enough now that it's causing software conflicts and my computer randomly BoD's. (And I didn't even know XP COULD bluescreen!)

I've run Adaware, both in Regular and SafeMode. I've also run CCleaner and all that other good stuff..

So here's my log.

Logfile of HijackThis v1.99.1
Scan saved at 8:08:42 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gilomem\scdkdna.exe
C:\WINDOWS\System32\dvtrcgu\jdghmtkw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\gcsyvh\fqdk.exe
C:\WINDOWS\System32\pylo\bylluj.exe
C:\WINDOWS\System32\gvdfh\smoaihkg.exe
C:\WINDOWS\System32\rkdw\ykgvb.exe
C:\WINDOWS\System32\qveqsqut\iimjjw.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\System32\aduj\bjnjx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Documents and Settings\OHDELA\Desktop\WINZIP\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\OHDELA\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: (no name) - {6BEBC216-8B37-03A6-A7DB-664B2604A733} - C:\WINDOWS\System32\qsfdcwxl\yymfrevh.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [tajsodks] C:\WINDOWS\System32\ocwuylgw\tajsodks.exe
O4 - HKLM\..\Run: [jjsock] C:\WINDOWS\System32\rgkak\jjsock.exe
O4 - HKLM\..\Run: [gklyaufd] C:\WINDOWS\System32\gulpkehq\gklyaufd.exe
O4 - HKLM\..\Run: [gwacvi] C:\WINDOWS\System32\ybomu\gwacvi.exe
O4 - HKLM\..\Run: [oxytl] C:\WINDOWS\System32\gufeilbg\oxytl.exe
O4 - HKLM\..\Run: [jiicsx] C:\WINDOWS\System32\edby\jiicsx.exe
O4 - HKLM\..\Run: [yxijxp] C:\WINDOWS\System32\xdni\yxijxp.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\TOXIE~1.OHD\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [lcxajxvd] C:\WINDOWS\System32\tthoa\lcxajxvd.exe
O4 - HKLM\..\Run: [nhgwxb] C:\WINDOWS\System32\crnyurm\nhgwxb.exe
O4 - HKLM\..\Run: [leqmtai] C:\WINDOWS\System32\onqqnhr\leqmtai.exe
O4 - HKLM\..\Run: [ykgvb] C:\WINDOWS\System32\rkdw\ykgvb.exe
O4 - HKLM\..\Run: [njaynpd] C:\WINDOWS\System32\xwgmow\njaynpd.exe
O4 - HKLM\..\Run: [iimjjw] C:\WINDOWS\System32\qveqsqut\iimjjw.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\OHDELA\LOCALS~1\Temp\jehc.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [smoaihkg] C:\WINDOWS\System32\gvdfh\smoaihkg.exe
O4 - HKLM\..\Run: [scdkdna] C:\WINDOWS\System32\gilomem\scdkdna.exe
O4 - HKLM\..\Run: [oftul] C:\WINDOWS\System32\rops\oftul.exe
O4 - HKLM\..\Run: [jdghmtkw] C:\WINDOWS\System32\dvtrcgu\jdghmtkw.exe
O4 - HKLM\..\Run: [bylluj] C:\WINDOWS\System32\pylo\bylluj.exe
O4 - HKLM\..\Run: [fqdk] C:\WINDOWS\System32\gcsyvh\fqdk.exe
O4 - HKLM\..\Run: [bjnjx] C:\WINDOWS\System32\aduj\bjnjx.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [elvljbol] C:\WINDOWS\System32\xltg\elvljbol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - HKCU\..\Run: [YB0FRRY5R] chkidctl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\OHDELA\Desktop\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtange...y/ea/wtinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55FE720F-2073-4EFC-B260-25F1CAF4B3F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{886616C7-1029-49B4-AA89-46F683CA715C}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\..\{F876AEE2-4018-45CC-828C-F99F85EE4146}: NameServer = 192.168.1.1,0.0.0.0
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: elvljbolxltg - Unknown owner - C:\WINDOWS\System32\xltg\elvljbol.exe
O23 - Service: gklyaufdgulpkehq - Unknown owner - C:\WINDOWS\System32\gulpkehq\gklyaufd.exe
O23 - Service: jdghmtkwdvtrcgu - Unknown owner - C:\WINDOWS\System32\dvtrcgu\jdghmtkw.exe
O23 - Service: jjsockrgkak - Unknown owner - C:\WINDOWS\System32\rgkak\jjsock.exe
O23 - Service: lcxajxvdtthoa - Unknown owner - C:\WINDOWS\System32\tthoa\lcxajxvd.exe
O23 - Service: mukrbdainiehs - Unknown owner - C:\WINDOWS\System32\niehs\mukrbdai.exe (file missing)
O23 - Service: nhgwxbcrnyurm - Unknown owner - C:\WINDOWS\System32\crnyurm\nhgwxb.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: rldnfbwsmaxkq - Unknown owner - C:\WINDOWS\System32\maxkq\rldnfbws.exe (file missing)
O23 - Service: scdkdnagilomem - Unknown owner - C:\WINDOWS\System32\gilomem\scdkdna.exe
O23 - Service: tajsodksocwuylgw - Unknown owner - C:\WINDOWS\System32\ocwuylgw\tajsodks.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)


Thank you in advance for all of your help. I really appreciate it. =]
  • 0

Advertisements

#2
greyknight17
Posted 25 April 2005 - 10:09 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

LOL. Yes, even XP has the blue screen problem, just not when it's due to a program crashing. XP has blue screens usually when there is some conflict (software/hardware).

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Don't run it yet.

Download KillBox http://www.greyknigh...spy/KillBox.exe. But don't run it yet.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\System32\gilomem\scdkdna.exe
C:\WINDOWS\System32\dvtrcgu\jdghmtkw.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\gcsyvh\fqdk.exe
C:\WINDOWS\System32\pylo\bylluj.exe
C:\WINDOWS\System32\gvdfh\smoaihkg.exe
C:\WINDOWS\System32\rkdw\ykgvb.exe
C:\WINDOWS\System32\qveqsqut\iimjjw.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\System32\aduj\bjnjx.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Messenger Plus - did you install the sponsor program that came with Messenger Plus? If you didn't, then you may ignore the below fixes.

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: (no name) - {6BEBC216-8B37-03A6-A7DB-664B2604A733} - C:\WINDOWS\System32\qsfdcwxl\yymfrevh.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [tajsodks] C:\WINDOWS\System32\ocwuylgw\tajsodks.exe
O4 - HKLM\..\Run: [jjsock] C:\WINDOWS\System32\rgkak\jjsock.exe
O4 - HKLM\..\Run: [gklyaufd] C:\WINDOWS\System32\gulpkehq\gklyaufd.exe
O4 - HKLM\..\Run: [gwacvi] C:\WINDOWS\System32\ybomu\gwacvi.exe
O4 - HKLM\..\Run: [oxytl] C:\WINDOWS\System32\gufeilbg\oxytl.exe
O4 - HKLM\..\Run: [jiicsx] C:\WINDOWS\System32\edby\jiicsx.exe
O4 - HKLM\..\Run: [yxijxp] C:\WINDOWS\System32\xdni\yxijxp.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\TOXIE~1.OHD\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [lcxajxvd] C:\WINDOWS\System32\tthoa\lcxajxvd.exe
O4 - HKLM\..\Run: [nhgwxb] C:\WINDOWS\System32\crnyurm\nhgwxb.exe
O4 - HKLM\..\Run: [leqmtai] C:\WINDOWS\System32\onqqnhr\leqmtai.exe
O4 - HKLM\..\Run: [ykgvb] C:\WINDOWS\System32\rkdw\ykgvb.exe
O4 - HKLM\..\Run: [njaynpd] C:\WINDOWS\System32\xwgmow\njaynpd.exe
O4 - HKLM\..\Run: [iimjjw] C:\WINDOWS\System32\qveqsqut\iimjjw.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\OHDELA\LOCALS~1\Temp\jehc.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [smoaihkg] C:\WINDOWS\System32\gvdfh\smoaihkg.exe
O4 - HKLM\..\Run: [scdkdna] C:\WINDOWS\System32\gilomem\scdkdna.exe
O4 - HKLM\..\Run: [oftul] C:\WINDOWS\System32\rops\oftul.exe
O4 - HKLM\..\Run: [jdghmtkw] C:\WINDOWS\System32\dvtrcgu\jdghmtkw.exe
O4 - HKLM\..\Run: [bylluj] C:\WINDOWS\System32\pylo\bylluj.exe
O4 - HKLM\..\Run: [fqdk] C:\WINDOWS\System32\gcsyvh\fqdk.exe
O4 - HKLM\..\Run: [bjnjx] C:\WINDOWS\System32\aduj\bjnjx.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [elvljbol] C:\WINDOWS\System32\xltg\elvljbol.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [YB0FRRY5R] chkidctl.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtange...y/ea/wtinst.cab
O23 - Service: elvljbolxltg - Unknown owner - C:\WINDOWS\System32\xltg\elvljbol.exe
O23 - Service: gklyaufdgulpkehq - Unknown owner - C:\WINDOWS\System32\gulpkehq\gklyaufd.exe
O23 - Service: jdghmtkwdvtrcgu - Unknown owner - C:\WINDOWS\System32\dvtrcgu\jdghmtkw.exe
O23 - Service: jjsockrgkak - Unknown owner - C:\WINDOWS\System32\rgkak\jjsock.exe
O23 - Service: lcxajxvdtthoa - Unknown owner - C:\WINDOWS\System32\tthoa\lcxajxvd.exe
O23 - Service: mukrbdainiehs - Unknown owner - C:\WINDOWS\System32\niehs\mukrbdai.exe (file missing)
O23 - Service: nhgwxbcrnyurm - Unknown owner - C:\WINDOWS\System32\crnyurm\nhgwxb.exe
O23 - Service: rldnfbwsmaxkq - Unknown owner - C:\WINDOWS\System32\maxkq\rldnfbws.exe (file missing)
O23 - Service: scdkdnagilomem - Unknown owner - C:\WINDOWS\System32\gilomem\scdkdna.exe
O23 - Service: tajsodksocwuylgw - Unknown owner - C:\WINDOWS\System32\ocwuylgw\tajsodks.exe

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Now I want you to copy everything below in bold (just right click and select copy), then go back to the KillBox program and go to File->Paste from Clipboard. Now hit the red circle with a white X all the way on the right. Click Yes to delete and No to reboot. We don't want to reboot yet.[b]

C:\Program Files\Bpt\
C:\Program Files\Messenger Plus! 3\
C:\Program Files\WildTangent\
C:\WINDOWS\farmmext.exe
C:\WINDOWS\farmmext.ini
C:\WINDOWS\System32\aduj\
C:\WINDOWS\System32\chkidctl.exe
C:\WINDOWS\System32\crnyurm\
C:\WINDOWS\System32\dvtrcgu\
C:\WINDOWS\System32\edby\jiicsx.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\gcsyvh\fqdk.exe
C:\WINDOWS\System32\gcsyvh\
C:\WINDOWS\System32\gilomem\
C:\WINDOWS\System32\gufeilbg\
C:\WINDOWS\System32\gulpkehq\
C:\WINDOWS\System32\gvdfh\
C:\WINDOWS\System32\maxkq\
C:\WINDOWS\System32\niehs\
C:\WINDOWS\System32\nsvsvc\
C:\WINDOWS\System32\nsvsvc\
C:\WINDOWS\System32\ocwuylgw\
C:\WINDOWS\System32\onqqnhr\
C:\WINDOWS\System32\pylo\
C:\WINDOWS\System32\qsfdcwxl\
C:\WINDOWS\System32\qveqsqut\
C:\WINDOWS\System32\rgkak\
C:\WINDOWS\System32\rkdw\
C:\WINDOWS\System32\rops\
C:\WINDOWS\System32\tthoa\
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\xdni\
C:\WINDOWS\System32\xltg\
C:\WINDOWS\System32\xwgmow\
C:\WINDOWS\System32\ybomu\

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
happytoxin
Posted 26 April 2005 - 06:53 PM

happytoxin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for your help! I really do appreciate it.. ! =]

I followed your instructions.. and it seems to have helped quite a bit. However, there's a new kind of pop up now.. Aurora? They're in special looking browser windows, with their own logo in place of the IE document logo type.. thing..

Here's my new HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:49:54 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\atwtusb.exe
C:\WINDOWS\System32\hmllhcp.exe
C:\windows\system32\lerlmts.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Documents and Settings\OHDELA\Desktop\WINZIP\WZQKPICK.EXE
C:\windows\system32\calc.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\yqmrid.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\OHDELA\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\hmllhcp.exe
O4 - HKLM\..\Run: [lerlmts] c:\windows\system32\lerlmts.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mnrfoo] c:\windows\system32\yqmrid.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\OHDELA\Desktop\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55FE720F-2073-4EFC-B260-25F1CAF4B3F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{886616C7-1029-49B4-AA89-46F683CA715C}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\..\{F876AEE2-4018-45CC-828C-F99F85EE4146}: NameServer = 192.168.1.1,0.0.0.0
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)
  • 0

#4
greyknight17
Posted 26 April 2005 - 11:47 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I know what you are referring to. OK, let's do this now:

Download ewido security suite from here http://www.ewido.net/en/download/

Update it’s database from here.. http://www.ewido.net...wnload/updates/
Run a scan and let it clean the PC. Post a new hijackthis log when complete.

**Note** DO NOT REBOOT THE PC During the removal process. If you do the filenames will change. So if you can't do this now, don't run Find It until you can leave the computer on.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.
  • 0

#5
happytoxin
Posted 27 April 2005 - 06:37 PM

happytoxin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you again. =]

Here is my Find.It's Log. I will try to keep my computer running until you reply, but that may be impossible, until I figure out what's causing the blue screen.. :\


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 04/27/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

* aurora C:\WINDOWS\OINZUFY.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\VHKVOPSS.EXE
* UPX! C:\WINDOWS\System32\VXLY.EXE
* UPX! C:\WINDOWS\IO2UNS.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE

* Sniffed C:\WINDOWS\System32\__DELE~1.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 0CA8-6267

Directory of C:\WINDOWS\SYSTEM32

03/31/2005 04:56 PM <DIR> cache32_rtneg2
0 File(s) 0 bytes
1 Dir(s) 3,919,036,416 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 0CA8-6267

Directory of C:\WINDOWS\system32

03/31/2005 04:59 PM 4,286 greenmovie2313asaadsasfad.ico
03/31/2005 04:59 PM 4,286 mp3red51aads.ico
03/31/2005 04:59 PM 4,286 pop up blaster1232131.ico
03/31/2005 04:59 PM 2,238 red_kas1.ico
12/18/2002 05:45 PM 766 uninstall.ico
5 File(s) 15,862 bytes
0 Dir(s) 3,919,036,416 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
<NO NAME> REG_SZ IBolgerDllObj


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll


Here is the new HijackThis log file

Logfile of HijackThis v1.99.1
Scan saved at 8:23:26 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Documents and Settings\OHDELA\Desktop\WINZIP\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\OHDELA\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\hmllhcp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\OHDELA\Desktop\WINZIP\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55FE720F-2073-4EFC-B260-25F1CAF4B3F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{886616C7-1029-49B4-AA89-46F683CA715C}: NameServer = 192.168.1.1,0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\..\{F876AEE2-4018-45CC-828C-F99F85EE4146}: NameServer = 192.168.1.1,0.0.0.0
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)


Thank you!
  • 0

#6
greyknight17
Posted 28 April 2005 - 08:45 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Delete these files/folders:

C:\WINDOWS\OINZUFY.EXE
C:\WINDOWS\System32\VHKVOPSS.EXE
C:\WINDOWS\System32\VXLY.EXE
C:\WINDOWS\IO2UNS.EXE
C:\WINDOWS\System32\__DELE~1.DLL
c:\windows\svcproc.exe
c:\windows\Nail.exe
C:\WINDOWS\system32\cache32_rtneg2\
C:\WINDOWS\system32\greenmovie2313asaadsasfad.ico
C:\WINDOWS\system32\mp3red51aads.ico
C:\WINDOWS\system32\pop up blaster1232131.ico
C:\WINDOWS\system32\red_kas1.ico
C:\WINDOWS\system32\uninstall.ico
C:\WINDOWS\Bolger.dll
C:\WINDOWS\System32\hmllhcp.exe

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\ and delete aurora

HKEY_CURRENT_USER\Software\ and delete Bolger

HKEY_CLASSES_ROOT\ and delete BolgerDll.BolgerDllObj

HKEY_CLASSES_ROOT\CLSID\ and delete {302A3240-4805-4a34-97D7-1645A0B08410}

HKEY_CLASSES_ROOT\Interface\ and delete {BB0D5ADC-028D-4185-9288-722DDCE2C757}

HKEY_CLASSES_ROOT\TypeLib\ and delete {92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon Driver and delete DrPMon.dll

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon Driver and delete DrPMon.dll

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon Driver and delete DrPMon.dll

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\hmllhcp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#7
greyknight17
Posted 20 June 2005 - 05:13 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP