Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

about:blank ?


  • This topic is locked This topic is locked

#16
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Ok, let's get tough and try to clear up the rest of the remaining baddies!
1. Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode.
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.


2. Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:
C:\WINDOWS\System32\qeovaxlx
C:\WINDOWS\System32\hubhm
C:\WINDOWS\System32\chyhv
C:\WINDOWS\System32\ajhmt
C:\WINDOWS\System32\shwmtpu
C:\WINDOWS\enhtb.dll
C:\WINDOWS\Bolger.dll
c:\windows\ymjjsqf.exe
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ahtun.exe
C:\WINDOWS\System32\cugibnjl
C:\WINDOWS\svcproc.exe
For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

3. Open HJT and click Scan. Place a check next to each of the following entries (if found) and after you close all other programs/windows, click "Fix" Then reboot and post a fresh HJT log.

O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll

O4 - HKCU\..\Run: [fowendl] c:\windows\ymjjsqf.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: orwqaocugibnjl - Unknown owner - C:\WINDOWS\System32\cugibnjl\orwqao.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

  • 0

Advertisements


#17
rdlacy

rdlacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Followed your instructions and removed everything I could find and ran another list

Logfile of HijackThis v1.99.1
Scan saved at 3:45:33 PM, on 05/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\hubhm\ufyomofk.exe
C:\WINDOWS\System32\ajhmt\ynspew.exe
C:\WINDOWS\System32\qeovaxlx\xabutoq.exe
C:\WINDOWS\System32\uouxdb\rfhmykfh.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\yjwgahil\owhydvs.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\DOCUME~1\Alexis\LOCALS~1\Temp\sdbwhq.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\shwmtpu\hrrqbj.exe
C:\Documents and Settings\Alexis\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xphtwbf] c:\windows\dxayvxw.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\DOCUME~1\Alexis\LOCALS~1\Temp\sdbwhq.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks

Roger
  • 0

#18
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ok, these are not dying. We need to get that pc back online so we can get to some trojan and virus removal scans. What exactly is the cause of not getting online? I mean, is it b/c the pc is so messed up, or do you know of a specific reason?
I'm going to ask someone with more Expertise than myself to take a peek in here and see if we can't get that back online.
If you can, try dowloading TrojanHunter onto a disc and running it on the infected machine.

http://www.trojanhun...rojanHunter.exe
  • 0

#19
rdlacy

rdlacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I am now downloading trojan hunter on my computer to transfer it to the
infected one. I can connect to the internet using the infected computer, but it
just does not complete any downloads. It just sits there.
I ran norton security 2004 from its cd, but did not find any virus. I tried reloading,
it but just errored out after the virus scan. Are there any virus programs I can download to a cd and transfer to the infected computer.

thanks

roger
  • 0

#20
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

Loading Outpost Connections (or KDE)
Debug oupost relations (or LAGOS)

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

KDE

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click NO.

Follow the above instructions for this one as well:

LAGOS

Click OK, this time click YES when it asks if you want to reboot.

Post a new HiJackThis log.
  • 0

#21
rdlacy

rdlacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
After I downloaded trojan hunter I ran it before you replied and received the following.
adware.barginbuddy. 104 deleted
adware.ezula.101 deleted
adware.gator.101 deleted
adware.webrebates.106 deleted
adware.viva.100 deleted

And I just ran it before I saw your message and I received


Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found possible trojan file: C:\WINDOWS\SYSTEM32\autoupgrader.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\cmdteld.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\dkvnaaaa.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\ehybbd\pfwwgp.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\elfsg\ifqcqcio.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\fgvhw\tlahy.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\greenstd.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\hahkv\qbkdhhif.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\hqmwolgc\uhcewc.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\hubhm\ufyomofk.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\jsilgdym.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\konynw\fdels.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\mhusyhuf\qirbusy.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\mocihd.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\nsndtn\vwbc.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\qeovaxlx\xabutoq.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\sew.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\soslssgj.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\taskmg.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\uhndvbh\edlmu.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\uouxdb\rfhmykfh.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\vbanwaaa.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\vhhng.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\vraspaaa.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\yjwgahil\owhydvs.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Error: Directory not found: C:\WINDOWS\SYSTEM32\??sembly
25 possible trojan files found


And then I read your message and tried services.msc command
and received the following message.

Microsoft Manage Console
MMC cannot open the file c:\windows\system32\services.msc
This may be because the file does't exist, it is not an MMC console, or was
createdby a later version of MMC/This may also be because you do no have
sufficient access rights to the file.

I checked and the file does exist and is in the right folder.


I did not try the seond part of your message because the services.msc did not
work.


thanks


Roger
  • 0

#22
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
that is GREAT that you got TrojanHunter to work!! normally, we would ask you to let it submit those files, but I know it would be impossible for you to since that machine won't do the right things online still.

Let me see a fresh HJT log now, would you? I want to see how it's looking after the TH scan, then we'll adress the other part, ok?
  • 0

#23
rdlacy

rdlacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is a copy of th latest hijack file.

Logfile of HijackThis v1.99.1
Scan saved at 8:53:43 PM, on 05/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\mscover.exe
C:\WINDOWS\System32\hubhm\ufyomofk.exe
C:\WINDOWS\System32\shwmtpu\hrrqbj.exe
C:\WINDOWS\System32\ajhmt\ynspew.exe
C:\WINDOWS\system32\jobcpa\xcfyqc.exe
C:\WINDOWS\System32\yjwgahil\owhydvs.exe
C:\WINDOWS\System32\udrnhwkg\osyrw.exe
C:\WINDOWS\system32\ptty\juqu.exe
C:\WINDOWS\system32\ecdflgpe\jthrs.exe
C:\WINDOWS\System32\nowtbn\fgemd.exe
C:\WINDOWS\System32\aigyio\einnutbi.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\windows\sviffwn.exe
C:\Documents and Settings\Alexis\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ipqspbi] c:\windows\vnldivk.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Thanks

Roger
  • 0

#24
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Please follow the below instuctions exactly - we are not deleting them the same way as we did before!

I need you to copy all of the Killbox instructions below and paste them into Notepad.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy all of the file names below to the clipboard by highlighting ALL of them, then pressing CTRL + C:

C:\WINDOWS\SYSTEM32\autoupgrader.exe
C:\WINDOWS\SYSTEM32\cmdteld.exe
C:\WINDOWS\SYSTEM32\dkvnaaaa.exe
C:\WINDOWS\SYSTEM32\ehybbd\pfwwgp.exe
C:\WINDOWS\SYSTEM32\elfsg\ifqcqcio.exe
C:\WINDOWS\SYSTEM32\fgvhw\tlahy.exe
C:\WINDOWS\SYSTEM32\greenstd.exe
C:\WINDOWS\SYSTEM32\hahkv\qbkdhhif.exe
C:\WINDOWS\SYSTEM32\hqmwolgc\uhcewc.exe
C:\WINDOWS\SYSTEM32\hubhm\ufyomofk.exe
C:\WINDOWS\SYSTEM32\jsilgdym.exe
C:\WINDOWS\SYSTEM32\konynw\fdels.exe
C:\WINDOWS\SYSTEM32\mhusyhuf\qirbusy.exe
C:\WINDOWS\SYSTEM32\mocihd.exe
C:\WINDOWS\SYSTEM32\nsndtn\vwbc.exe
C:\WINDOWS\SYSTEM32\qeovaxlx\xabutoq.exe
C:\WINDOWS\SYSTEM32\sew.exe
C:\WINDOWS\SYSTEM32\soslssgj.exe
C:\WINDOWS\SYSTEM32\taskmg.exe
C:\WINDOWS\SYSTEM32\uhndvbh\edlmu.exe
C:\WINDOWS\SYSTEM32\uouxdb\rfhmykfh.exe
C:\WINDOWS\SYSTEM32\vbanwaaa.exe
C:\WINDOWS\SYSTEM32\vhhng.exe
C:\WINDOWS\SYSTEM32\vraspaaa.exe
C:\WINDOWS\SYSTEM32\yjwgahil\owhydvs.exe
C:\WINDOWS\SYSTEM32\ehybbd
C:\WINDOWS\SYSTEM32\elfsg
C:\WINDOWS\SYSTEM32\fgvhw
C:\WINDOWS\SYSTEM32\hahkv
C:\WINDOWS\SYSTEM32\hqmwolgc
C:\WINDOWS\SYSTEM32\hubhm
C:\WINDOWS\SYSTEM32\konynw
C:\WINDOWS\SYSTEM32\mhusyhuf
C:\WINDOWS\SYSTEM32\nsndtn
C:\WINDOWS\SYSTEM32\qeovaxlx
C:\WINDOWS\SYSTEM32\uhndvbh
C:\WINDOWS\SYSTEM32\uouxdb
C:\WINDOWS\SYSTEM32\yjwgahil


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots, Post a new HiJackThis log.[/QUOTE]

***IMPORTANT****

After you post the next HJT scan, please do not shut down or restart that computer again if at all possible. Some of these files are changing names, and they won't do so as long as it stays booted. Once you post me the new HJT log, please leave it running
  • 0

#25
rdlacy

rdlacy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for all your help.

This is taking too much of your time and this computer seems to have
other issues.

I will be trying a system reload of windows xp, first trying a repair
and if that does not work I will reformat and do a clean install.

I learned alot trying all these programs.

Again, I thank you for all your time and effort.

Thanks

Roger
  • 0

Advertisements


#26
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
That's what I'm here for Roger. I completely understand your decision, as that machine truly does have serious problems. When you get it cleaned and nice and new...please pass the following recommendations on to the pc's owner to help keep them protected!

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.


This thread is being closed as the issue is resolved due to a reformat. If you need help in the future, please feel free to start a new topic!

Great thanks goes to bananafanafo , Metallica and jonnyrotten for their help here! :tazz: ;)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP