Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hundreds of pop-ups and other problems [CLOSED]


  • This topic is locked This topic is locked

#16
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Wow..Posted a reply to someone elses thread here. I will look atthis tomorrow morning when I am awake.

Justin

Edited by Jfcap, 01 May 2005 - 12:58 AM.

  • 0

Advertisements


#17
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Lew,

Sorry for the delay, I tend to have lazy weekends of doing nothing, especially at the end of the school year. Lets try these fixes.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Reboot into normal Windows.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {6DF5F9EF-0C98-1C8C-F17F-85B1E70F1D25} - C:\WINDOWS\System32\dxfnqnmv\gnihncbe.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [072V38X] mse2_32.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [mkkxmb] C:\WINDOWS\System32\yiwxp\mkkxmb.exe
O4 - HKLM\..\Run: [ldfew] C:\WINDOWS\System32\dvdxstx\ldfew.exe
O4 - HKLM\..\Run: [jipbb] C:\WINDOWS\System32\guodnt\jipbb.exe
O4 - HKLM\..\Run: [uauxag] C:\WINDOWS\System32\qxwfvtf\uauxag.exe
O4 - HKLM\..\Run: [bwcn] C:\WINDOWS\System32\amshkt\bwcn.exe
O4 - HKLM\..\Run: [hwfk] C:\WINDOWS\System32\xruoqg\hwfk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [hshnin] C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
O4 - HKLM\..\Run: [yjyagior] C:\WINDOWS\System32\dxdih\yjyagior.exe
O4 - HKLM\..\Run: [plhhg] C:\WINDOWS\System32\jiwquorx\plhhg.exe
O4 - HKLM\..\Run: [liss] C:\WINDOWS\System32\qxymh\liss.exe
O4 - HKLM\..\Run: [rdjuonu] C:\WINDOWS\System32\pngehor\rdjuonu.exe
O4 - HKLM\..\Run: [rjrfi] C:\WINDOWS\System32\equw\rjrfi.exe
O4 - HKLM\..\Run: [nbrc] C:\WINDOWS\System32\kljnmmw\nbrc.exe
O4 - HKLM\..\Run: [lesowjpq] C:\WINDOWS\System32\oosaccyk\lesowjpq.exe
O4 - HKLM\..\Run: [hgqkbi] C:\WINDOWS\System32\bwcandxy\hgqkbi.exe
O4 - HKLM\..\Run: [imxfats] C:\WINDOWS\System32\cvjafk\imxfats.exe
O4 - HKLM\..\Run: [reda] C:\WINDOWS\System32\bvdb\reda.exe
O4 - HKLM\..\Run: [cumgx] C:\WINDOWS\System32\wrunw\cumgx.exe
O4 - HKLM\..\Run: [bvayndap] C:\WINDOWS\System32\phbadd\bvayndap.exe
O4 - HKLM\..\Run: [aarnac] C:\WINDOWS\System32\ovdqww\aarnac.exe
O4 - HKLM\..\Run: [lqknbh] C:\WINDOWS\System32\aqacxjn\lqknbh.exe
O4 - HKLM\..\Run: [eirweub] C:\WINDOWS\System32\goyh\eirweub.exe
O4 - HKLM\..\Run: [hsuiskj] C:\WINDOWS\System32\urtpbue\hsuiskj.exe
O4 - HKLM\..\Run: [syeqnku] C:\WINDOWS\System32\dvwrdhh\syeqnku.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\wmmxxl.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [cinsrw] C:\WINDOWS\System32\smuno\cinsrw.exe
O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\System32\GSMedia3.exe
O4 - HKCU\..\Run: [instfunc] C:\WINDOWS\System32\instfunc.exe
O4 - HKCU\..\Run: [bs5pis] C:\WINDOWS\System32\bs5pis.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O23 - Service: aarnacovdqww - Unknown owner - C:\WINDOWS\System32\ovdqww\aarnac.exe (file missing)
O23 - Service: bvayndapphbadd - Unknown owner - C:\WINDOWS\System32\phbadd\bvayndap.exe
O23 - Service: flhmirkoffarct - Unknown owner - C:\WINDOWS\System32\ffarct\flhmirko.exe (file missing)
O23 - Service: greenstdSystem32 - Unknown owner - C:\WINDOWS\System32\greenstd.exe (file missing)
O23 - Service: hcajyqpwqcxmq - Unknown owner - C:\WINDOWS\System32\qpwqcxmq\hcajy.exe (file missing)
O23 - Service: jipbbguodnt - Unknown owner - C:\WINDOWS\System32\guodnt\jipbb.exe (file missing)
O23 - Service: ldfewdvdxstx - Unknown owner - C:\WINDOWS\System32\dvdxstx\ldfew.exe
O23 - Service: lissqxymh - Unknown owner - C:\WINDOWS\System32\qxymh\liss.exe
O23 - Service: nyoibbijcrr - Unknown owner - C:\WINDOWS\System32\bbijcrr\nyoi.exe (file missing)
O23 - Service: redabvdb - Unknown owner - C:\WINDOWS\System32\bvdb\reda.exe (file missing)
O23 - Service: rudokxjrpxc - Unknown owner - C:\WINDOWS\System32\xjrpxc\rudok.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: uauxagqxwfvtf - Unknown owner - C:\WINDOWS\System32\qxwfvtf\uauxag.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs (if present) in the Control Panel:

MediaAccK.exe
ErrorGuard.Exe
xqm8vk65.exe

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\Media Access
C:\WINDOWS\System32\kljnmmw
C:\WINDOWS\System32\oosaccyk
C:\WINDOWS\System32\bwcandxy
C:\WINDOWS\System32\cvjafk
C:\WINDOWS\System32\bvdb
C:\WINDOWS\System32\wrunw
C:\WINDOWS\System32\phbadd
C:\WINDOWS\System32\ovdqww
C:\WINDOWS\System32\aqacxjn
C:\WINDOWS\System32\goyh
C:\WINDOWS\System32\urtpbue
C:\WINDOWS\System32\dvwrdhh
C:\WINDOWS\System32\dxdih
C:\WINDOWS\System32\jiwquorx
C:\WINDOWS\System32\qxymh
C:\WINDOWS\System32\pngehor
C:\WINDOWS\System32\equw
C:\WINDOWS\System32\dvdxstx
C:\WINDOWS\System32\guodnt
C:\WINDOWS\System32\qxwfvtf
C:\WINDOWS\System32\amshkt
C:\WINDOWS\System32\xruoqg
C:\Program Files\ErrorGuard
C:\Program Files\xqm8vk65

Please delete these files (if present) using Windows Explorer:

C:\windows\system32\elitefto32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
C:\WINDOWS\System32\wmmxxl.exe
C:\WINDOWS\System32\smuno\cinsrw.exe
C:\WINDOWS\System32\GSMedia3.exe
C:\WINDOWS\System32\instfunc.exe
C:\WINDOWS\System32\bs5pis.exe


These files you will need to manually search for. Click START --> SEARCH, then type in the name of the file, and delete it.

ALCXMNTR.EXE
mse2_32.exe

After that, Reboot.

Now post a fresh HiJackThis log for me to look at.

Justin
  • 0

#18
lew10281

lew10281

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
i did mostly everything you said and the computer is working %10,000 percent better

the files i didn't find was under:

add/remove

xqm8vk65.exe



Windows Explorer (Folders)

C:\Program Files\Media Access




Windows Explorer (Files)

C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
C:\WINDOWS\System32\wmmxxl.exe
C:\WINDOWS\System32\smuno\cinsrw.exe
C:\WINDOWS\System32\instfunc.exe
  • 0

#19
lew10281

lew10281

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:50:07 AM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\huxwvhcb\frjk.exe
C:\WINDOWS\System32\mwdfrh\rgukljio.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#20
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Lew,

Thats ok if you did not find some of the files. I see a few things that are still there, lets get rid of them!

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Nail.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs (if present) in the Control Panel:

xqm8vk65.exe (Look one more time)

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders (if present) using Windows Explorer:

C:\WINDOWS\System32\xvuvf
C:\WINDOWS\System32\lyhmni
C:\WINDOWS\System32\stgsptfm
C:\WINDOWS\System32\mctgy
C:\WINDOWS\System32\mwdfrh
C:\WINDOWS\System32\huxwvhcb
C:\Program Files\xqm8vk65 (Look again)

Please delete these files (if present) using Windows Explorer:

C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe

After that, Reboot.

Its ok if you cant find the above, sometimes HiJackThis will delete them.

Please post a new HiJackThis log for me.

Justin

Edited by Jfcap, 02 May 2005 - 07:17 AM.

  • 0

#21
lew10281

lew10281

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
could you explain 5 in more detail so i won't mess anything up?
  • 0

#22
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Sure Thing!

5) is worded oddly because it is designed to delete multiple files at once. What is is telling you to do is open up notepad and copy all of the listed files, then go to killbox and select paste from clipboard.

To make it easier,

Just highlight the text below, and copy it (CTRL-C)

C:\WINDOWS\Nail.exe


Then go into Killbox and go to the file menu and chose paste from clipboard.

Let me know if you have any other questions,


Justin
  • 0

#23
lew10281

lew10281

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
sorry i was out of town. i'll do this next step ASAP
  • 0

#24
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Lew,

No rush at all. Take your time =)

Justin
  • 0

#25
lew10281

lew10281

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
hey JF.

some girl sent some message thru AIM. it probably was a virus. me being stupid i clicked on it and it must have saved something on the computer. now when im on AIM, it will go thru my entire buddylist and send everyone that's online that message i got.

and since i downloaded it, in my C: drive there are some programs called

adinstallwin32
omg
stcupdt


also something called HuntBar browser is trying to install but Microsoft Antispyware is blocking it from installing. sorry for the trouble.

here is a new hijackthis log



Logfile of HijackThis v1.99.1
Scan saved at 12:02:58 AM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\mctgy\kssfvoi.exe
C:\WINDOWS\System32\mwdfrh\rgukljio.exe
C:\WINDOWS\System32\huxwvhcb\frjk.exe
C:\WINDOWS\userint32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\obwuahe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\a23jla97.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\winmgc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
c:\windows\system32\jdwnlu.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\omg.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50245
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [ARtI7] C:\WINDOWS\obwuahe.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [a23jla97] C:\WINDOWS\System32\a23jla97.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [eTunnel] C:\omg.exe
O4 - HKLM\..\Run: [pozynk] c:\windows\system32\jdwnlu.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
  • 0

Advertisements


#26
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Lew,

Lets try to get rid of the AIM bug first.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)


Please save the logs from the scans and post then with your next reply. Also post a new HiJackThis log.

Thanks

Justin
  • 0

#27
lew10281

lew10281

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
i ran ad aware SE so it looks like tha bug is gone. so can you help me get this stuff off of my registry?
  • 0

#28
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Lew,

There are a lot of things in your log, so lets fix them with HiJackThis.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50245
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [ARtI7] C:\WINDOWS\obwuahe.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [a23jla97] C:\WINDOWS\System32\a23jla97.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [eTunnel] C:\omg.exe
O4 - HKLM\..\Run: [pozynk] c:\windows\system32\jdwnlu.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs (if present) in the Control Panel:

powerscan.exe
istsvc.exe
MediaAccess.exe
MediaAccK.exe
PIB.exe
bargains.exe
xqm8vk65.exe

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\ISTsvc
C:\Program Files\Common Files\WinTools
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Media Access
C:\Program Files\Media Access
C:\Program Files\BullsEye Network
C:\WINDOWS\System32\xvuvf
C:\WINDOWS\System32\lyhmni
C:\WINDOWS\System32\stgsptfm
C:\WINDOWS\System32\mctgy
C:\WINDOWS\System32\mwdfrh
C:\WINDOWS\System32\huxwvhcb
C:\Program Files\xqm8vk65
C:\Program Files\Power Scan

Please delete these files (if present) using Windows Explorer:

C:\windows\system32\elitefto32.exe
C:\WINDOWS\obwuahe.exe
C:\WINDOWS\System32\a23jla97.exe
C:\omg.exe
c:\windows\system32\jdwnlu.exe

After that, Reboot.

Please post a new HiJackThis log for me to look at.

Justin
  • 0

#29
lew10281

lew10281

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
In Add/Remove i seen suspicious activity like

Select Cashback
Internet Optimizer
Internet offers


in Folders

i seen; C:\Program Files\ISTBar not \ISTsvc

C:\PROGRA~1\Toolbar\TBPS.exe - couldn't delete it was in use



new hijackthis log





Logfile of HijackThis v1.99.1
Scan saved at 2:38:52 AM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\userint32.exe
c:\windows\system32\omjzxku.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\program files\180solutions\sais.exe
c:\documents and settings\owner\local settings\temp\2aJ.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\eliext.exe
C:\WINDOWS\System32\ersctr.exe
C:\ezStub.exe
c:\windows\system32\hHg.exe
c:\windows\system32\weS.exe
C:\WINDOWS\eZinstall.exe
C:\WINDOWS\system32\weS.exe
C:\PROGRA~1\eZula\mmod.exe
C:\WINDOWS\System32\NwgIc08.exe
C:\WINDOWS\System32\Xszv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\woinstall.exe
C:\PROGRA~1\WEBOFF~1\wo.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ejwnor] C:\WINDOWS\ejwnor.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ssjhhbi] c:\windows\system32\omjzxku.exe
O4 - HKLM\..\Run: [2aJ] c:\documents and settings\owner\local settings\temp\2aJ.exe
O4 - HKLM\..\Run: [072V38X] ersctr.exe
O4 - HKLM\..\Run: [hHg] c:\windows\system32\hHg.exe
O4 - HKLM\..\Run: [weS.exe] c:\windows\system32\weS.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\KtrA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Hwt9RUbsl] eliext.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
  • 0

#30
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Lew,

A lot of things showed up since your last log, so lets try to get them.

In Add/Remove Programs you can remove:

Select Cashback
Internet Optimizer
Internet offers


Then,

lease run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Reboot normally.

Next, go here and download Sophos AntiVirus. Select the info that is appropriate for your system and download the evaluation version.

Then go here for information on how to remove worms. (This will remove the worm you got from AOL)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ejwnor] C:\WINDOWS\ejwnor.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ssjhhbi] c:\windows\system32\omjzxku.exe
O4 - HKLM\..\Run: [2aJ] c:\documents and settings\owner\local settings\temp\2aJ.exe
O4 - HKLM\..\Run: [hHg] c:\windows\system32\hHg.exe
O4 - HKLM\..\Run: [weS.exe] c:\windows\system32\weS.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs (if present) in the Control Panel:

wo.exe
TBPS.exe
PIB.exe
optimize.exe
TBPSSvc.exe
CxtPls.exe
WToolsA.exe
sais.exe
mmod.exe
AutoUpdate.exe

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\Web Offer
C:\Program Files\Toolbar
C:\Program Files\Internet Optimizer
C:\Program Files\Common Files\WinTools
c:\program files\180solutions
C:\Program Files\eZula
C:\Program Files\AutoUpdate
C:\Program Files\CxtPls

Please delete these files (if present) using Windows Explorer:


C:\WINDOWS\ejwnor.exe
c:\windows\system32\omjzxku.exe
c:\documents and settings\owner\local settings\temp\2aJ.exe
c:\windows\system32\hHg.exe
c:\windows\system32\weS.exe
C:\ezStub.exe


After that, Reboot.

Then post a Fresh HiJackThis log for me.

Justin

Edited by Jfcap, 15 May 2005 - 09:18 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP