This topic is lockedJustin
Edited by Jfcap, 01 May 2005 - 12:58 AM.
Hundreds of pop-ups and other problems [CLOSED]
Started by
lew10281
, Apr 28 2005 10:37 AM
#16
Posted 01 May 2005 - 12:55 AM
Justin
-
- Member
-
- 2,353 posts
I do a little bit of everything
Justin
#17
Posted 01 May 2005 - 10:02 PM
Justin
-
- Member
-
- 2,353 posts
I do a little bit of everything
Lew,
Sorry for the delay, I tend to have lazy weekends of doing nothing, especially at the end of the school year. Lets try these fixes.
Please run Notepad and copy the following text into a new file:
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Reboot into normal Windows.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {6DF5F9EF-0C98-1C8C-F17F-85B1E70F1D25} - C:\WINDOWS\System32\dxfnqnmv\gnihncbe.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [072V38X] mse2_32.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [mkkxmb] C:\WINDOWS\System32\yiwxp\mkkxmb.exe
O4 - HKLM\..\Run: [ldfew] C:\WINDOWS\System32\dvdxstx\ldfew.exe
O4 - HKLM\..\Run: [jipbb] C:\WINDOWS\System32\guodnt\jipbb.exe
O4 - HKLM\..\Run: [uauxag] C:\WINDOWS\System32\qxwfvtf\uauxag.exe
O4 - HKLM\..\Run: [bwcn] C:\WINDOWS\System32\amshkt\bwcn.exe
O4 - HKLM\..\Run: [hwfk] C:\WINDOWS\System32\xruoqg\hwfk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [hshnin] C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
O4 - HKLM\..\Run: [yjyagior] C:\WINDOWS\System32\dxdih\yjyagior.exe
O4 - HKLM\..\Run: [plhhg] C:\WINDOWS\System32\jiwquorx\plhhg.exe
O4 - HKLM\..\Run: [liss] C:\WINDOWS\System32\qxymh\liss.exe
O4 - HKLM\..\Run: [rdjuonu] C:\WINDOWS\System32\pngehor\rdjuonu.exe
O4 - HKLM\..\Run: [rjrfi] C:\WINDOWS\System32\equw\rjrfi.exe
O4 - HKLM\..\Run: [nbrc] C:\WINDOWS\System32\kljnmmw\nbrc.exe
O4 - HKLM\..\Run: [lesowjpq] C:\WINDOWS\System32\oosaccyk\lesowjpq.exe
O4 - HKLM\..\Run: [hgqkbi] C:\WINDOWS\System32\bwcandxy\hgqkbi.exe
O4 - HKLM\..\Run: [imxfats] C:\WINDOWS\System32\cvjafk\imxfats.exe
O4 - HKLM\..\Run: [reda] C:\WINDOWS\System32\bvdb\reda.exe
O4 - HKLM\..\Run: [cumgx] C:\WINDOWS\System32\wrunw\cumgx.exe
O4 - HKLM\..\Run: [bvayndap] C:\WINDOWS\System32\phbadd\bvayndap.exe
O4 - HKLM\..\Run: [aarnac] C:\WINDOWS\System32\ovdqww\aarnac.exe
O4 - HKLM\..\Run: [lqknbh] C:\WINDOWS\System32\aqacxjn\lqknbh.exe
O4 - HKLM\..\Run: [eirweub] C:\WINDOWS\System32\goyh\eirweub.exe
O4 - HKLM\..\Run: [hsuiskj] C:\WINDOWS\System32\urtpbue\hsuiskj.exe
O4 - HKLM\..\Run: [syeqnku] C:\WINDOWS\System32\dvwrdhh\syeqnku.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\wmmxxl.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [cinsrw] C:\WINDOWS\System32\smuno\cinsrw.exe
O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\System32\GSMedia3.exe
O4 - HKCU\..\Run: [instfunc] C:\WINDOWS\System32\instfunc.exe
O4 - HKCU\..\Run: [bs5pis] C:\WINDOWS\System32\bs5pis.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O23 - Service: aarnacovdqww - Unknown owner - C:\WINDOWS\System32\ovdqww\aarnac.exe (file missing)
O23 - Service: bvayndapphbadd - Unknown owner - C:\WINDOWS\System32\phbadd\bvayndap.exe
O23 - Service: flhmirkoffarct - Unknown owner - C:\WINDOWS\System32\ffarct\flhmirko.exe (file missing)
O23 - Service: greenstdSystem32 - Unknown owner - C:\WINDOWS\System32\greenstd.exe (file missing)
O23 - Service: hcajyqpwqcxmq - Unknown owner - C:\WINDOWS\System32\qpwqcxmq\hcajy.exe (file missing)
O23 - Service: jipbbguodnt - Unknown owner - C:\WINDOWS\System32\guodnt\jipbb.exe (file missing)
O23 - Service: ldfewdvdxstx - Unknown owner - C:\WINDOWS\System32\dvdxstx\ldfew.exe
O23 - Service: lissqxymh - Unknown owner - C:\WINDOWS\System32\qxymh\liss.exe
O23 - Service: nyoibbijcrr - Unknown owner - C:\WINDOWS\System32\bbijcrr\nyoi.exe (file missing)
O23 - Service: redabvdb - Unknown owner - C:\WINDOWS\System32\bvdb\reda.exe (file missing)
O23 - Service: rudokxjrpxc - Unknown owner - C:\WINDOWS\System32\xjrpxc\rudok.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: uauxagqxwfvtf - Unknown owner - C:\WINDOWS\System32\qxwfvtf\uauxag.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs (if present) in the Control Panel:
MediaAccK.exe
ErrorGuard.Exe
xqm8vk65.exe
Please note any other programs that you dont recognize in that list in your next response
Please delete these folders (if present) using Windows Explorer:
C:\Program Files\Media Access
C:\WINDOWS\System32\kljnmmw
C:\WINDOWS\System32\oosaccyk
C:\WINDOWS\System32\bwcandxy
C:\WINDOWS\System32\cvjafk
C:\WINDOWS\System32\bvdb
C:\WINDOWS\System32\wrunw
C:\WINDOWS\System32\phbadd
C:\WINDOWS\System32\ovdqww
C:\WINDOWS\System32\aqacxjn
C:\WINDOWS\System32\goyh
C:\WINDOWS\System32\urtpbue
C:\WINDOWS\System32\dvwrdhh
C:\WINDOWS\System32\dxdih
C:\WINDOWS\System32\jiwquorx
C:\WINDOWS\System32\qxymh
C:\WINDOWS\System32\pngehor
C:\WINDOWS\System32\equw
C:\WINDOWS\System32\dvdxstx
C:\WINDOWS\System32\guodnt
C:\WINDOWS\System32\qxwfvtf
C:\WINDOWS\System32\amshkt
C:\WINDOWS\System32\xruoqg
C:\Program Files\ErrorGuard
C:\Program Files\xqm8vk65
Please delete these files (if present) using Windows Explorer:
C:\windows\system32\elitefto32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
C:\WINDOWS\System32\wmmxxl.exe
C:\WINDOWS\System32\smuno\cinsrw.exe
C:\WINDOWS\System32\GSMedia3.exe
C:\WINDOWS\System32\instfunc.exe
C:\WINDOWS\System32\bs5pis.exe
These files you will need to manually search for. Click START --> SEARCH, then type in the name of the file, and delete it.
ALCXMNTR.EXE
mse2_32.exe
After that, Reboot.
Now post a fresh HiJackThis log for me to look at.
Justin
Sorry for the delay, I tend to have lazy weekends of doing nothing, especially at the end of the school year. Lets try these fixes.
Please run Notepad and copy the following text into a new file:
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Then please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Reboot into normal Windows.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {6DF5F9EF-0C98-1C8C-F17F-85B1E70F1D25} - C:\WINDOWS\System32\dxfnqnmv\gnihncbe.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [072V38X] mse2_32.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [mkkxmb] C:\WINDOWS\System32\yiwxp\mkkxmb.exe
O4 - HKLM\..\Run: [ldfew] C:\WINDOWS\System32\dvdxstx\ldfew.exe
O4 - HKLM\..\Run: [jipbb] C:\WINDOWS\System32\guodnt\jipbb.exe
O4 - HKLM\..\Run: [uauxag] C:\WINDOWS\System32\qxwfvtf\uauxag.exe
O4 - HKLM\..\Run: [bwcn] C:\WINDOWS\System32\amshkt\bwcn.exe
O4 - HKLM\..\Run: [hwfk] C:\WINDOWS\System32\xruoqg\hwfk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [hshnin] C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
O4 - HKLM\..\Run: [yjyagior] C:\WINDOWS\System32\dxdih\yjyagior.exe
O4 - HKLM\..\Run: [plhhg] C:\WINDOWS\System32\jiwquorx\plhhg.exe
O4 - HKLM\..\Run: [liss] C:\WINDOWS\System32\qxymh\liss.exe
O4 - HKLM\..\Run: [rdjuonu] C:\WINDOWS\System32\pngehor\rdjuonu.exe
O4 - HKLM\..\Run: [rjrfi] C:\WINDOWS\System32\equw\rjrfi.exe
O4 - HKLM\..\Run: [nbrc] C:\WINDOWS\System32\kljnmmw\nbrc.exe
O4 - HKLM\..\Run: [lesowjpq] C:\WINDOWS\System32\oosaccyk\lesowjpq.exe
O4 - HKLM\..\Run: [hgqkbi] C:\WINDOWS\System32\bwcandxy\hgqkbi.exe
O4 - HKLM\..\Run: [imxfats] C:\WINDOWS\System32\cvjafk\imxfats.exe
O4 - HKLM\..\Run: [reda] C:\WINDOWS\System32\bvdb\reda.exe
O4 - HKLM\..\Run: [cumgx] C:\WINDOWS\System32\wrunw\cumgx.exe
O4 - HKLM\..\Run: [bvayndap] C:\WINDOWS\System32\phbadd\bvayndap.exe
O4 - HKLM\..\Run: [aarnac] C:\WINDOWS\System32\ovdqww\aarnac.exe
O4 - HKLM\..\Run: [lqknbh] C:\WINDOWS\System32\aqacxjn\lqknbh.exe
O4 - HKLM\..\Run: [eirweub] C:\WINDOWS\System32\goyh\eirweub.exe
O4 - HKLM\..\Run: [hsuiskj] C:\WINDOWS\System32\urtpbue\hsuiskj.exe
O4 - HKLM\..\Run: [syeqnku] C:\WINDOWS\System32\dvwrdhh\syeqnku.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\wmmxxl.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [cinsrw] C:\WINDOWS\System32\smuno\cinsrw.exe
O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\System32\GSMedia3.exe
O4 - HKCU\..\Run: [instfunc] C:\WINDOWS\System32\instfunc.exe
O4 - HKCU\..\Run: [bs5pis] C:\WINDOWS\System32\bs5pis.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O23 - Service: aarnacovdqww - Unknown owner - C:\WINDOWS\System32\ovdqww\aarnac.exe (file missing)
O23 - Service: bvayndapphbadd - Unknown owner - C:\WINDOWS\System32\phbadd\bvayndap.exe
O23 - Service: flhmirkoffarct - Unknown owner - C:\WINDOWS\System32\ffarct\flhmirko.exe (file missing)
O23 - Service: greenstdSystem32 - Unknown owner - C:\WINDOWS\System32\greenstd.exe (file missing)
O23 - Service: hcajyqpwqcxmq - Unknown owner - C:\WINDOWS\System32\qpwqcxmq\hcajy.exe (file missing)
O23 - Service: jipbbguodnt - Unknown owner - C:\WINDOWS\System32\guodnt\jipbb.exe (file missing)
O23 - Service: ldfewdvdxstx - Unknown owner - C:\WINDOWS\System32\dvdxstx\ldfew.exe
O23 - Service: lissqxymh - Unknown owner - C:\WINDOWS\System32\qxymh\liss.exe
O23 - Service: nyoibbijcrr - Unknown owner - C:\WINDOWS\System32\bbijcrr\nyoi.exe (file missing)
O23 - Service: redabvdb - Unknown owner - C:\WINDOWS\System32\bvdb\reda.exe (file missing)
O23 - Service: rudokxjrpxc - Unknown owner - C:\WINDOWS\System32\xjrpxc\rudok.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: uauxagqxwfvtf - Unknown owner - C:\WINDOWS\System32\qxwfvtf\uauxag.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs (if present) in the Control Panel:
MediaAccK.exe
ErrorGuard.Exe
xqm8vk65.exe
Please note any other programs that you dont recognize in that list in your next response
Please delete these folders (if present) using Windows Explorer:
C:\Program Files\Media Access
C:\WINDOWS\System32\kljnmmw
C:\WINDOWS\System32\oosaccyk
C:\WINDOWS\System32\bwcandxy
C:\WINDOWS\System32\cvjafk
C:\WINDOWS\System32\bvdb
C:\WINDOWS\System32\wrunw
C:\WINDOWS\System32\phbadd
C:\WINDOWS\System32\ovdqww
C:\WINDOWS\System32\aqacxjn
C:\WINDOWS\System32\goyh
C:\WINDOWS\System32\urtpbue
C:\WINDOWS\System32\dvwrdhh
C:\WINDOWS\System32\dxdih
C:\WINDOWS\System32\jiwquorx
C:\WINDOWS\System32\qxymh
C:\WINDOWS\System32\pngehor
C:\WINDOWS\System32\equw
C:\WINDOWS\System32\dvdxstx
C:\WINDOWS\System32\guodnt
C:\WINDOWS\System32\qxwfvtf
C:\WINDOWS\System32\amshkt
C:\WINDOWS\System32\xruoqg
C:\Program Files\ErrorGuard
C:\Program Files\xqm8vk65
Please delete these files (if present) using Windows Explorer:
C:\windows\system32\elitefto32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
C:\WINDOWS\System32\wmmxxl.exe
C:\WINDOWS\System32\smuno\cinsrw.exe
C:\WINDOWS\System32\GSMedia3.exe
C:\WINDOWS\System32\instfunc.exe
C:\WINDOWS\System32\bs5pis.exe
These files you will need to manually search for. Click START --> SEARCH, then type in the name of the file, and delete it.
ALCXMNTR.EXE
mse2_32.exe
After that, Reboot.
Now post a fresh HiJackThis log for me to look at.
Justin
#18
Posted 02 May 2005 - 01:49 AM
lew10281
- Topic Starter
-
- Member
-
- 48 posts
Member
i did mostly everything you said and the computer is working %10,000 percent better
the files i didn't find was under:
add/remove
xqm8vk65.exe
Windows Explorer (Folders)
C:\Program Files\Media Access
Windows Explorer (Files)
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
C:\WINDOWS\System32\wmmxxl.exe
C:\WINDOWS\System32\smuno\cinsrw.exe
C:\WINDOWS\System32\instfunc.exe
the files i didn't find was under:
add/remove
xqm8vk65.exe
Windows Explorer (Folders)
C:\Program Files\Media Access
Windows Explorer (Files)
C:\DOCUME~1\Owner\LOCALS~1\Temp\gnia.exe
C:\WINDOWS\System32\wmmxxl.exe
C:\WINDOWS\System32\smuno\cinsrw.exe
C:\WINDOWS\System32\instfunc.exe
#19
Posted 02 May 2005 - 01:50 AM
lew10281
- Topic Starter
-
- Member
-
- 48 posts
Member
Logfile of HijackThis v1.99.1
Scan saved at 2:50:07 AM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\huxwvhcb\frjk.exe
C:\WINDOWS\System32\mwdfrh\rgukljio.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Scan saved at 2:50:07 AM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\huxwvhcb\frjk.exe
C:\WINDOWS\System32\mwdfrh\rgukljio.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
#20
Posted 02 May 2005 - 06:58 AM
Justin
-
- Member
-
- 2,353 posts
I do a little bit of everything
Lew,
Thats ok if you did not find some of the files. I see a few things that are still there, lets get rid of them!
1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
3) Once in Safe Mode, please run Killbox.
4) Select "Delete on Reboot".
5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Nail.exe
6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs (if present) in the Control Panel:
xqm8vk65.exe (Look one more time)
Please note any other programs that you dont recognize in that list in your next response
Please delete these folders (if present) using Windows Explorer:
C:\WINDOWS\System32\xvuvf
C:\WINDOWS\System32\lyhmni
C:\WINDOWS\System32\stgsptfm
C:\WINDOWS\System32\mctgy
C:\WINDOWS\System32\mwdfrh
C:\WINDOWS\System32\huxwvhcb
C:\Program Files\xqm8vk65 (Look again)
Please delete these files (if present) using Windows Explorer:
C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
After that, Reboot.
Its ok if you cant find the above, sometimes HiJackThis will delete them.
Please post a new HiJackThis log for me.
Justin
Thats ok if you did not find some of the files. I see a few things that are still there, lets get rid of them!
1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
3) Once in Safe Mode, please run Killbox.
4) Select "Delete on Reboot".
5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Nail.exe
6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Let the system reboot.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs (if present) in the Control Panel:
xqm8vk65.exe (Look one more time)
Please note any other programs that you dont recognize in that list in your next response
Please delete these folders (if present) using Windows Explorer:
C:\WINDOWS\System32\xvuvf
C:\WINDOWS\System32\lyhmni
C:\WINDOWS\System32\stgsptfm
C:\WINDOWS\System32\mctgy
C:\WINDOWS\System32\mwdfrh
C:\WINDOWS\System32\huxwvhcb
C:\Program Files\xqm8vk65 (Look again)
Please delete these files (if present) using Windows Explorer:
C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
After that, Reboot.
Its ok if you cant find the above, sometimes HiJackThis will delete them.
Please post a new HiJackThis log for me.
Justin
Edited by Jfcap, 02 May 2005 - 07:17 AM.
#21
Posted 02 May 2005 - 07:06 AM
lew10281
- Topic Starter
-
- Member
-
- 48 posts
Member
could you explain 5 in more detail so i won't mess anything up?
#22
Posted 02 May 2005 - 07:20 AM
Justin
-
- Member
-
- 2,353 posts
I do a little bit of everything
Sure Thing!
5) is worded oddly because it is designed to delete multiple files at once. What is is telling you to do is open up notepad and copy all of the listed files, then go to killbox and select paste from clipboard.
To make it easier,
Just highlight the text below, and copy it (CTRL-C)
Then go into Killbox and go to the file menu and chose paste from clipboard.
Let me know if you have any other questions,
Justin
5) is worded oddly because it is designed to delete multiple files at once. What is is telling you to do is open up notepad and copy all of the listed files, then go to killbox and select paste from clipboard.
To make it easier,
Just highlight the text below, and copy it (CTRL-C)
C:\WINDOWS\Nail.exe
Then go into Killbox and go to the file menu and chose paste from clipboard.
Let me know if you have any other questions,
Justin
#23
Posted 08 May 2005 - 10:51 PM
lew10281
- Topic Starter
-
- Member
-
- 48 posts
Member
sorry i was out of town. i'll do this next step ASAP
#24
Posted 08 May 2005 - 11:08 PM
Justin
-
- Member
-
- 2,353 posts
I do a little bit of everything
Lew,
No rush at all. Take your time =)
Justin
No rush at all. Take your time =)
Justin
#25
Posted 13 May 2005 - 11:08 PM
lew10281
- Topic Starter
-
- Member
-
- 48 posts
Member
hey JF.
some girl sent some message thru AIM. it probably was a virus. me being stupid i clicked on it and it must have saved something on the computer. now when im on AIM, it will go thru my entire buddylist and send everyone that's online that message i got.
and since i downloaded it, in my C: drive there are some programs called
adinstallwin32
omg
stcupdt
also something called HuntBar browser is trying to install but Microsoft Antispyware is blocking it from installing. sorry for the trouble.
here is a new hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 12:02:58 AM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\mctgy\kssfvoi.exe
C:\WINDOWS\System32\mwdfrh\rgukljio.exe
C:\WINDOWS\System32\huxwvhcb\frjk.exe
C:\WINDOWS\userint32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\obwuahe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\a23jla97.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\winmgc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
c:\windows\system32\jdwnlu.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\omg.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50245
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [ARtI7] C:\WINDOWS\obwuahe.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [a23jla97] C:\WINDOWS\System32\a23jla97.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [eTunnel] C:\omg.exe
O4 - HKLM\..\Run: [pozynk] c:\windows\system32\jdwnlu.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
some girl sent some message thru AIM. it probably was a virus. me being stupid i clicked on it and it must have saved something on the computer. now when im on AIM, it will go thru my entire buddylist and send everyone that's online that message i got.
and since i downloaded it, in my C: drive there are some programs called
adinstallwin32
omg
stcupdt
also something called HuntBar browser is trying to install but Microsoft Antispyware is blocking it from installing. sorry for the trouble.
here is a new hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 12:02:58 AM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\mctgy\kssfvoi.exe
C:\WINDOWS\System32\mwdfrh\rgukljio.exe
C:\WINDOWS\System32\huxwvhcb\frjk.exe
C:\WINDOWS\userint32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\obwuahe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\a23jla97.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\winmgc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
c:\windows\system32\jdwnlu.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\omg.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50245
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [ARtI7] C:\WINDOWS\obwuahe.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [a23jla97] C:\WINDOWS\System32\a23jla97.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [eTunnel] C:\omg.exe
O4 - HKLM\..\Run: [pozynk] c:\windows\system32\jdwnlu.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
#26
Posted 13 May 2005 - 11:52 PM
Justin
-
- Member
-
- 2,353 posts
I do a little bit of everything
Lew,
Lets try to get rid of the AIM bug first.
Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
Please save the logs from the scans and post then with your next reply. Also post a new HiJackThis log.
Thanks
Justin
Lets try to get rid of the AIM bug first.
Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
Please save the logs from the scans and post then with your next reply. Also post a new HiJackThis log.
Thanks
Justin
#27
Posted 14 May 2005 - 11:21 AM
lew10281
- Topic Starter
-
- Member
-
- 48 posts
Member
i ran ad aware SE so it looks like tha bug is gone. so can you help me get this stuff off of my registry?
#28
Posted 14 May 2005 - 05:46 PM
Justin
-
- Member
-
- 2,353 posts
I do a little bit of everything
Lew,
There are a lot of things in your log, so lets fix them with HiJackThis.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50245
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [ARtI7] C:\WINDOWS\obwuahe.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [a23jla97] C:\WINDOWS\System32\a23jla97.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [eTunnel] C:\omg.exe
O4 - HKLM\..\Run: [pozynk] c:\windows\system32\jdwnlu.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs (if present) in the Control Panel:
powerscan.exe
istsvc.exe
MediaAccess.exe
MediaAccK.exe
PIB.exe
bargains.exe
xqm8vk65.exe
Please note any other programs that you dont recognize in that list in your next response
Please delete these folders (if present) using Windows Explorer:
C:\Program Files\ISTsvc
C:\Program Files\Common Files\WinTools
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Media Access
C:\Program Files\Media Access
C:\Program Files\BullsEye Network
C:\WINDOWS\System32\xvuvf
C:\WINDOWS\System32\lyhmni
C:\WINDOWS\System32\stgsptfm
C:\WINDOWS\System32\mctgy
C:\WINDOWS\System32\mwdfrh
C:\WINDOWS\System32\huxwvhcb
C:\Program Files\xqm8vk65
C:\Program Files\Power Scan
Please delete these files (if present) using Windows Explorer:
C:\windows\system32\elitefto32.exe
C:\WINDOWS\obwuahe.exe
C:\WINDOWS\System32\a23jla97.exe
C:\omg.exe
c:\windows\system32\jdwnlu.exe
After that, Reboot.
Please post a new HiJackThis log for me to look at.
Justin
There are a lot of things in your log, so lets fix them with HiJackThis.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50245
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\oumpkiyx.exe
O4 - HKLM\..\Run: [avojara] C:\WINDOWS\System32\xvuvf\avojara.exe
O4 - HKLM\..\Run: [oghwfej] C:\WINDOWS\System32\lyhmni\oghwfej.exe
O4 - HKLM\..\Run: [ikukea] C:\WINDOWS\System32\stgsptfm\ikukea.exe
O4 - HKLM\..\Run: [kssfvoi] C:\WINDOWS\System32\mctgy\kssfvoi.exe
O4 - HKLM\..\Run: [rgukljio] C:\WINDOWS\System32\mwdfrh\rgukljio.exe
O4 - HKLM\..\Run: [frjk] C:\WINDOWS\System32\huxwvhcb\frjk.exe
O4 - HKLM\..\Run: [xqm8vk65] C:\Program Files\xqm8vk65\xqm8vk65.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefto32.exe
O4 - HKLM\..\Run: [ARtI7] C:\WINDOWS\obwuahe.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [a23jla97] C:\WINDOWS\System32\a23jla97.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [eTunnel] C:\omg.exe
O4 - HKLM\..\Run: [pozynk] c:\windows\system32\jdwnlu.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O23 - Service: fvmlrijedgo - Unknown owner - C:\WINDOWS\System32\jedgo\fvmlri.exe (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs (if present) in the Control Panel:
powerscan.exe
istsvc.exe
MediaAccess.exe
MediaAccK.exe
PIB.exe
bargains.exe
xqm8vk65.exe
Please note any other programs that you dont recognize in that list in your next response
Please delete these folders (if present) using Windows Explorer:
C:\Program Files\ISTsvc
C:\Program Files\Common Files\WinTools
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Media Access
C:\Program Files\Media Access
C:\Program Files\BullsEye Network
C:\WINDOWS\System32\xvuvf
C:\WINDOWS\System32\lyhmni
C:\WINDOWS\System32\stgsptfm
C:\WINDOWS\System32\mctgy
C:\WINDOWS\System32\mwdfrh
C:\WINDOWS\System32\huxwvhcb
C:\Program Files\xqm8vk65
C:\Program Files\Power Scan
Please delete these files (if present) using Windows Explorer:
C:\windows\system32\elitefto32.exe
C:\WINDOWS\obwuahe.exe
C:\WINDOWS\System32\a23jla97.exe
C:\omg.exe
c:\windows\system32\jdwnlu.exe
After that, Reboot.
Please post a new HiJackThis log for me to look at.
Justin
#29
Posted 15 May 2005 - 01:43 AM
lew10281
- Topic Starter
-
- Member
-
- 48 posts
Member
In Add/Remove i seen suspicious activity like
Select Cashback
Internet Optimizer
Internet offers
in Folders
i seen; C:\Program Files\ISTBar not \ISTsvc
C:\PROGRA~1\Toolbar\TBPS.exe - couldn't delete it was in use
new hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 2:38:52 AM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\userint32.exe
c:\windows\system32\omjzxku.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\program files\180solutions\sais.exe
c:\documents and settings\owner\local settings\temp\2aJ.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\eliext.exe
C:\WINDOWS\System32\ersctr.exe
C:\ezStub.exe
c:\windows\system32\hHg.exe
c:\windows\system32\weS.exe
C:\WINDOWS\eZinstall.exe
C:\WINDOWS\system32\weS.exe
C:\PROGRA~1\eZula\mmod.exe
C:\WINDOWS\System32\NwgIc08.exe
C:\WINDOWS\System32\Xszv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\woinstall.exe
C:\PROGRA~1\WEBOFF~1\wo.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ejwnor] C:\WINDOWS\ejwnor.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ssjhhbi] c:\windows\system32\omjzxku.exe
O4 - HKLM\..\Run: [2aJ] c:\documents and settings\owner\local settings\temp\2aJ.exe
O4 - HKLM\..\Run: [072V38X] ersctr.exe
O4 - HKLM\..\Run: [hHg] c:\windows\system32\hHg.exe
O4 - HKLM\..\Run: [weS.exe] c:\windows\system32\weS.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\KtrA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Hwt9RUbsl] eliext.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
Select Cashback
Internet Optimizer
Internet offers
in Folders
i seen; C:\Program Files\ISTBar not \ISTsvc
C:\PROGRA~1\Toolbar\TBPS.exe - couldn't delete it was in use
new hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 2:38:52 AM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\userint32.exe
c:\windows\system32\omjzxku.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\program files\180solutions\sais.exe
c:\documents and settings\owner\local settings\temp\2aJ.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\eliext.exe
C:\WINDOWS\System32\ersctr.exe
C:\ezStub.exe
c:\windows\system32\hHg.exe
c:\windows\system32\weS.exe
C:\WINDOWS\eZinstall.exe
C:\WINDOWS\system32\weS.exe
C:\PROGRA~1\eZula\mmod.exe
C:\WINDOWS\System32\NwgIc08.exe
C:\WINDOWS\System32\Xszv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\woinstall.exe
C:\PROGRA~1\WEBOFF~1\wo.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ejwnor] C:\WINDOWS\ejwnor.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ssjhhbi] c:\windows\system32\omjzxku.exe
O4 - HKLM\..\Run: [2aJ] c:\documents and settings\owner\local settings\temp\2aJ.exe
O4 - HKLM\..\Run: [072V38X] ersctr.exe
O4 - HKLM\..\Run: [hHg] c:\windows\system32\hHg.exe
O4 - HKLM\..\Run: [weS.exe] c:\windows\system32\weS.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\KtrA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Hwt9RUbsl] eliext.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: Windows Management Construct (winmgmc) - Unknown owner - C:\WINDOWS\winmgc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
#30
Posted 15 May 2005 - 09:17 PM
Justin
-
- Member
-
- 2,353 posts
I do a little bit of everything
Lew,
A lot of things showed up since your last log, so lets try to get them.
In Add/Remove Programs you can remove:
Select Cashback
Internet Optimizer
Internet offers
Then,
lease run Notepad and copy the following text into a new file:
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Reboot normally.
Next, go here and download Sophos AntiVirus. Select the info that is appropriate for your system and download the evaluation version.
Then go here for information on how to remove worms. (This will remove the worm you got from AOL)
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ejwnor] C:\WINDOWS\ejwnor.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ssjhhbi] c:\windows\system32\omjzxku.exe
O4 - HKLM\..\Run: [2aJ] c:\documents and settings\owner\local settings\temp\2aJ.exe
O4 - HKLM\..\Run: [hHg] c:\windows\system32\hHg.exe
O4 - HKLM\..\Run: [weS.exe] c:\windows\system32\weS.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs (if present) in the Control Panel:
wo.exe
TBPS.exe
PIB.exe
optimize.exe
TBPSSvc.exe
CxtPls.exe
WToolsA.exe
sais.exe
mmod.exe
AutoUpdate.exe
Please note any other programs that you dont recognize in that list in your next response
Please delete these folders (if present) using Windows Explorer:
C:\Program Files\Web Offer
C:\Program Files\Toolbar
C:\Program Files\Internet Optimizer
C:\Program Files\Common Files\WinTools
c:\program files\180solutions
C:\Program Files\eZula
C:\Program Files\AutoUpdate
C:\Program Files\CxtPls
Please delete these files (if present) using Windows Explorer:
C:\WINDOWS\ejwnor.exe
c:\windows\system32\omjzxku.exe
c:\documents and settings\owner\local settings\temp\2aJ.exe
c:\windows\system32\hHg.exe
c:\windows\system32\weS.exe
C:\ezStub.exe
After that, Reboot.
Then post a Fresh HiJackThis log for me.
Justin
A lot of things showed up since your last log, so lets try to get them.
In Add/Remove Programs you can remove:
Select Cashback
Internet Optimizer
Internet offers
Then,
lease run Notepad and copy the following text into a new file:
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Reboot normally.
Next, go here and download Sophos AntiVirus. Select the info that is appropriate for your system and download the evaluation version.
Then go here for information on how to remove worms. (This will remove the worm you got from AOL)
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ejwnor] C:\WINDOWS\ejwnor.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ssjhhbi] c:\windows\system32\omjzxku.exe
O4 - HKLM\..\Run: [2aJ] c:\documents and settings\owner\local settings\temp\2aJ.exe
O4 - HKLM\..\Run: [hHg] c:\windows\system32\hHg.exe
O4 - HKLM\..\Run: [weS.exe] c:\windows\system32\weS.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs (if present) in the Control Panel:
wo.exe
TBPS.exe
PIB.exe
optimize.exe
TBPSSvc.exe
CxtPls.exe
WToolsA.exe
sais.exe
mmod.exe
AutoUpdate.exe
Please note any other programs that you dont recognize in that list in your next response
Please delete these folders (if present) using Windows Explorer:
C:\Program Files\Web Offer
C:\Program Files\Toolbar
C:\Program Files\Internet Optimizer
C:\Program Files\Common Files\WinTools
c:\program files\180solutions
C:\Program Files\eZula
C:\Program Files\AutoUpdate
C:\Program Files\CxtPls
Please delete these files (if present) using Windows Explorer:
C:\WINDOWS\ejwnor.exe
c:\windows\system32\omjzxku.exe
c:\documents and settings\owner\local settings\temp\2aJ.exe
c:\windows\system32\hHg.exe
c:\windows\system32\weS.exe
C:\ezStub.exe
After that, Reboot.
Then post a Fresh HiJackThis log for me.
Justin
Edited by Jfcap, 15 May 2005 - 09:18 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
