Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot remove pests [CLOSED]


  • This topic is locked This topic is locked

#1
kalbright

kalbright

    New Member

  • Member
  • Pip
  • 5 posts
Please HELP - I am desperate. I have been running Pest Patrol, Adaware, and McAfee for the past 5 days in an attempt to remove a number of nasty files, but they just keep coming back. Problem files include(d) Tv Media, Sahagent, boering(sp?), webhancer, & zsearch to name just a few. Tonight I ran all three programs (PP, Adaware and McAfee) in safe mode and deleted all problem files that were identified in the scans. I also deleted a TV media file I found on the c drive. Finally, all scans came up clean. However, when I rebooted in normal mode, I find I still have a problem. I keep getting a PestPatrol message saying that SAH unistall select agent has been identified. When I click yes, to say I want to delete it, I get a message that the program is ending, and then the PestPatrol message keeps coming back. ALso, when I am getting tons of pop-ups (22 just when connecting to your site), so obviously I still have spyware that I have not gotten rid of. I'm sure if I run Adaware or PP again it will show I have pests even though I just deleted everything ( this is what I have been doing for the past days.) I downloaded Hijack this - the log follows below. Please provide any help that you can:

Logfile of HijackThis v1.97.7
Scan saved at 11:43:17 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\PGP for Windows XP\PGPservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\bibuxzya.exe
C:\WINDOWS\dgudebx.exe
C:\WINDOWS\esvwpts.exe
C:\WINDOWS\fgcmm.exe
C:\WINDOWS\kwxfxg.exe
C:\WINDOWS\zesh.exe
C:\WINDOWS\iusvyjb.exe
C:\WINDOWS\xlqlxwlc.exe
C:\WINDOWS\kfqqpbboo.exe
C:\WINDOWS\evdbtlgv.exe
C:\WINDOWS\xlsfqswx.exe
C:\WINDOWS\rpbm.exe
C:\WINDOWS\dfdtpzp.exe
C:\WINDOWS\wxjwqt.exe
C:\WINDOWS\pnwhu.exe
C:\WINDOWS\tmcj.exe
C:\WINDOWS\kpesko.exe
C:\WINDOWS\ghoe.exe
C:\WINDOWS\mihl.exe
C:\WINDOWS\fonfjl.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\vgssojj.exe
C:\WINDOWS\gunuprm.exe
C:\WINDOWS\nlcp.exe
C:\WINDOWS\ormghjz.exe
C:\WINDOWS\nbpdvziqo.exe
C:\WINDOWS\hvwnklobx.exe
C:\WINDOWS\kcjbp.exe
C:\WINDOWS\xndu.exe
C:\WINDOWS\jhojdik.exe
C:\WINDOWS\mmgjyo.exe
C:\WINDOWS\dtwl.exe
C:\WINDOWS\xywq.exe
C:\WINDOWS\ctzmhdjaz.exe
C:\WINDOWS\yugl.exe
C:\WINDOWS\mzmonewo.exe
C:\WINDOWS\msaqzomn.exe
C:\WINDOWS\ptlpn.exe
C:\WINDOWS\wmxm.exe
C:\WINDOWS\ouwyrvs.exe
C:\WINDOWS\uvpfkvc.exe
C:\WINDOWS\votzs.exe
C:\WINDOWS\hicszc.exe
C:\WINDOWS\cpgmbpt.exe
C:\WINDOWS\reffzsqdx.exe
C:\WINDOWS\bnzxbxtu.exe
C:\WINDOWS\ajddcn.exe
C:\WINDOWS\uzqnh.exe
C:\WINDOWS\zqakvamr.exe
C:\WINDOWS\sxugpq.exe
C:\WINDOWS\lcctzwvr.exe
C:\WINDOWS\iztcxfoi.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Documents and Settings\Kim\Local Settings\Temporary Internet Files\Content.IE5\SP90JEP3\HijackThis[1].exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CSBrBHO - {6D0AC7F7-B628-4581-A8B2-14D97F24AA76} - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {CAC104E5-8DAB-FB4D-D3E1-717D763A33CC} - C:\WINDOWS\system32\bvgpyifr.dll (file missing)
O2 - BHO: (no name) - {CF3C2262-5BE7-48C5-A126-A134638047C8} - C:\WINDOWS\System32\fclbcatex.dll (file missing)
O2 - BHO: (no name) - {EFC185FB-1617-C901-D46E-6C3DCA2E9FFB} - C:\WINDOWS\system32\lzezjyro.dll (file missing)
O3 - Toolbar: (no name) - {A5214645-7029-4560-B58C-F681831F416D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [tst] C:\WINDOWS\tst.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [phqhnnd] C:\WINDOWS\bibuxzya.exe
O4 - HKLM\..\Run: [glfhzof] C:\WINDOWS\dgudebx.exe
O4 - HKLM\..\Run: [bnkos] C:\WINDOWS\esvwpts.exe
O4 - HKLM\..\Run: [bghnif] C:\WINDOWS\fgcmm.exe
O4 - HKLM\..\Run: [zufvv] C:\WINDOWS\kwxfxg.exe
O4 - HKLM\..\Run: [iwoiopcsv] C:\WINDOWS\zesh.exe
O4 - HKLM\..\Run: [fsbgwofqg] C:\WINDOWS\iusvyjb.exe
O4 - HKLM\..\Run: [tujjjrr] C:\WINDOWS\xlqlxwlc.exe
O4 - HKLM\..\Run: [ojpzc] C:\WINDOWS\kfqqpbboo.exe
O4 - HKLM\..\Run: [mejz] C:\WINDOWS\evdbtlgv.exe
O4 - HKLM\..\Run: [tukgu] C:\WINDOWS\xlsfqswx.exe
O4 - HKLM\..\Run: [vlmjzyii] C:\WINDOWS\rpbm.exe
O4 - HKLM\..\Run: [mdvna] C:\WINDOWS\dfdtpzp.exe
O4 - HKLM\..\Run: [fbjnjuq] C:\WINDOWS\wxjwqt.exe
O4 - HKLM\..\Run: [tnpq] C:\WINDOWS\pnwhu.exe
O4 - HKLM\..\Run: [tbkk] C:\WINDOWS\tmcj.exe
O4 - HKLM\..\Run: [kpphujora] C:\WINDOWS\kpesko.exe
O4 - HKLM\..\Run: [csmhrkcjs] C:\WINDOWS\ghoe.exe
O4 - HKLM\..\Run: [cchxntoq] C:\WINDOWS\mihl.exe
O4 - HKLM\..\Run: [jqtykzmno] C:\WINDOWS\fonfjl.exe
O4 - HKLM\..\Run: [rddvltbyq] C:\WINDOWS\vgssojj.exe
O4 - HKLM\..\Run: [lrxbyns] C:\WINDOWS\gunuprm.exe
O4 - HKLM\..\Run: [ttjovyne] C:\WINDOWS\nlcp.exe
O4 - HKLM\..\Run: [wfwnre] C:\WINDOWS\ormghjz.exe
O4 - HKLM\..\Run: [nvbgjt] C:\WINDOWS\nbpdvziqo.exe
O4 - HKLM\..\Run: [altgxg] C:\WINDOWS\hvwnklobx.exe
O4 - HKLM\..\Run: [attoci] C:\WINDOWS\kcjbp.exe
O4 - HKLM\..\Run: [gmlqv] C:\WINDOWS\xndu.exe
O4 - HKLM\..\Run: [cqoteduyb] C:\WINDOWS\jhojdik.exe
O4 - HKLM\..\Run: [xbhy] C:\WINDOWS\mmgjyo.exe
O4 - HKLM\..\Run: [ugahusij] C:\WINDOWS\dtwl.exe
O4 - HKLM\..\Run: [mfuvpyx] C:\WINDOWS\xywq.exe
O4 - HKLM\..\Run: [jupdczb] C:\WINDOWS\ctzmhdjaz.exe
O4 - HKLM\..\Run: [vgre] C:\WINDOWS\yugl.exe
O4 - HKLM\..\Run: [dbgqu] C:\WINDOWS\mzmonewo.exe
O4 - HKLM\..\Run: [jduu] C:\WINDOWS\msaqzomn.exe
O4 - HKLM\..\Run: [kmbxbhqmo] C:\WINDOWS\ptlpn.exe
O4 - HKLM\..\Run: [bevw] C:\WINDOWS\wmxm.exe
O4 - HKLM\..\Run: [pfqbodq] C:\WINDOWS\ouwyrvs.exe
O4 - HKLM\..\Run: [faznup] C:\WINDOWS\uvpfkvc.exe
O4 - HKLM\..\Run: [jhnzlg] C:\WINDOWS\votzs.exe
O4 - HKLM\..\Run: [tcida] C:\WINDOWS\hicszc.exe
O4 - HKLM\..\Run: [zkvegxp] C:\WINDOWS\cpgmbpt.exe
O4 - HKLM\..\Run: [opyu] C:\WINDOWS\reffzsqdx.exe
O4 - HKLM\..\Run: [sjcq] C:\WINDOWS\bnzxbxtu.exe
O4 - HKLM\..\Run: [pmmwllmp] C:\WINDOWS\ajddcn.exe
O4 - HKLM\..\Run: [xwasmkvew] C:\WINDOWS\uzqnh.exe
O4 - HKLM\..\Run: [nkrew] C:\WINDOWS\zqakvamr.exe
O4 - HKLM\..\Run: [vowzdbc] C:\WINDOWS\sxugpq.exe
O4 - HKLM\..\Run: [cdahvtcrh] C:\WINDOWS\lcctzwvr.exe
O4 - HKLM\..\Run: [dfewfh] C:\WINDOWS\iztcxfoi.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud16.sports....lgcst1006_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7614.5133449074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.c...abs/awaybox.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Hi kalbright, welcome to Geeks to Go!

Wow! It's amazing your system is still running <_< I don't think it's as bad as it looks.
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please move Hijack This to a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked (be careful not to miss any).
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - O2 - BHO: CSBrBHO - {6D0AC7F7-B628-4581-A8B2-14D97F24AA76} - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {CAC104E5-8DAB-FB4D-D3E1-717D763A33CC} - C:\WINDOWS\system32\bvgpyifr.dll (file missing)
O2 - BHO: (no name) - {CF3C2262-5BE7-48C5-A126-A134638047C8} - C:\WINDOWS\System32\fclbcatex.dll (file missing)
O2 - BHO: (no name) - {EFC185FB-1617-C901-D46E-6C3DCA2E9FFB} - C:\WINDOWS\system32\lzezjyro.dll (file missing)
O3 - Toolbar: (no name) - {A5214645-7029-4560-B58C-F681831F416D} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [tst] C:\WINDOWS\tst.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [phqhnnd] C:\WINDOWS\bibuxzya.exe
O4 - HKLM\..\Run: [glfhzof] C:\WINDOWS\dgudebx.exe
O4 - HKLM\..\Run: [bnkos] C:\WINDOWS\esvwpts.exe
O4 - HKLM\..\Run: [bghnif] C:\WINDOWS\fgcmm.exe
O4 - HKLM\..\Run: [zufvv] C:\WINDOWS\kwxfxg.exe
O4 - HKLM\..\Run: [iwoiopcsv] C:\WINDOWS\zesh.exe
O4 - HKLM\..\Run: [fsbgwofqg] C:\WINDOWS\iusvyjb.exe
O4 - HKLM\..\Run: [tujjjrr] C:\WINDOWS\xlqlxwlc.exe
O4 - HKLM\..\Run: [ojpzc] C:\WINDOWS\kfqqpbboo.exe
O4 - HKLM\..\Run: [mejz] C:\WINDOWS\evdbtlgv.exe
O4 - HKLM\..\Run: [tukgu] C:\WINDOWS\xlsfqswx.exe
O4 - HKLM\..\Run: [vlmjzyii] C:\WINDOWS\rpbm.exe
O4 - HKLM\..\Run: [mdvna] C:\WINDOWS\dfdtpzp.exe
O4 - HKLM\..\Run: [fbjnjuq] C:\WINDOWS\wxjwqt.exe
O4 - HKLM\..\Run: [tnpq] C:\WINDOWS\pnwhu.exe
O4 - HKLM\..\Run: [tbkk] C:\WINDOWS\tmcj.exe
O4 - HKLM\..\Run: [kpphujora] C:\WINDOWS\kpesko.exe
O4 - HKLM\..\Run: [csmhrkcjs] C:\WINDOWS\ghoe.exe
O4 - HKLM\..\Run: [cchxntoq] C:\WINDOWS\mihl.exe
O4 - HKLM\..\Run: [jqtykzmno] C:\WINDOWS\fonfjl.exe
O4 - HKLM\..\Run: [rddvltbyq] C:\WINDOWS\vgssojj.exe
O4 - HKLM\..\Run: [lrxbyns] C:\WINDOWS\gunuprm.exe
O4 - HKLM\..\Run: [ttjovyne] C:\WINDOWS\nlcp.exe
O4 - HKLM\..\Run: [wfwnre] C:\WINDOWS\ormghjz.exe
O4 - HKLM\..\Run: [nvbgjt] C:\WINDOWS\nbpdvziqo.exe
O4 - HKLM\..\Run: [altgxg] C:\WINDOWS\hvwnklobx.exe
O4 - HKLM\..\Run: [attoci] C:\WINDOWS\kcjbp.exe
O4 - HKLM\..\Run: [gmlqv] C:\WINDOWS\xndu.exe
O4 - HKLM\..\Run: [cqoteduyb] C:\WINDOWS\jhojdik.exe
O4 - HKLM\..\Run: [xbhy] C:\WINDOWS\mmgjyo.exe
O4 - HKLM\..\Run: [ugahusij] C:\WINDOWS\dtwl.exe
O4 - HKLM\..\Run: [mfuvpyx] C:\WINDOWS\xywq.exe
O4 - HKLM\..\Run: [jupdczb] C:\WINDOWS\ctzmhdjaz.exe
O4 - HKLM\..\Run: [vgre] C:\WINDOWS\yugl.exe
O4 - HKLM\..\Run: [dbgqu] C:\WINDOWS\mzmonewo.exe
O4 - HKLM\..\Run: [jduu] C:\WINDOWS\msaqzomn.exe
O4 - HKLM\..\Run: [kmbxbhqmo] C:\WINDOWS\ptlpn.exe
O4 - HKLM\..\Run: [bevw] C:\WINDOWS\wmxm.exe
O4 - HKLM\..\Run: [pfqbodq] C:\WINDOWS\ouwyrvs.exe
O4 - HKLM\..\Run: [faznup] C:\WINDOWS\uvpfkvc.exe
O4 - HKLM\..\Run: [jhnzlg] C:\WINDOWS\votzs.exe
O4 - HKLM\..\Run: [tcida] C:\WINDOWS\hicszc.exe
O4 - HKLM\..\Run: [zkvegxp] C:\WINDOWS\cpgmbpt.exe
O4 - HKLM\..\Run: [opyu] C:\WINDOWS\reffzsqdx.exe
O4 - HKLM\..\Run: [sjcq] C:\WINDOWS\bnzxbxtu.exe
O4 - HKLM\..\Run: [pmmwllmp] C:\WINDOWS\ajddcn.exe
O4 - HKLM\..\Run: [xwasmkvew] C:\WINDOWS\uzqnh.exe
O4 - HKLM\..\Run: [nkrew] C:\WINDOWS\zqakvamr.exe
O4 - HKLM\..\Run: [vowzdbc] C:\WINDOWS\sxugpq.exe
O4 - HKLM\..\Run: [cdahvtcrh] C:\WINDOWS\lcctzwvr.exe
O4 - HKLM\..\Run: [dfewfh] C:\WINDOWS\iztcxfoi.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.c...abs/awaybox.cab

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\Program Files\webHancer <- this folder
C:\WINDOWS\system32\bvgpyifr.dll
C:\WINDOWS\System32\fclbcatex.dll
C:\WINDOWS\system32\lzezjyro.dll
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\[b]tst.exe

---delete all these random filenames in the Windows folder---
C:\WINDOWS\bibuxzya.exe
C:\WINDOWS\dgudebx.exe
C:\WINDOWS\esvwpts.exe
C:\WINDOWS\fgcmm.exe
C:\WINDOWS\kwxfxg.exe
C:\WINDOWS\zesh.exe
C:\WINDOWS\iusvyjb.exe
C:\WINDOWS\xlqlxwlc.exe
C:\WINDOWS\kfqqpbboo.exe
C:\WINDOWS\evdbtlgv.exe
C:\WINDOWS\xlsfqswx.exe
C:\WINDOWS\rpbm.exe
C:\WINDOWS\dfdtpzp.exe
C:\WINDOWS\wxjwqt.exe
C:\WINDOWS\pnwhu.exe
C:\WINDOWS\tmcj.exe
C:\WINDOWS\kpesko.exe
C:\WINDOWS\ghoe.exe
C:\WINDOWS\mihl.exe
C:\WINDOWS\fonfjl.exe
C:\WINDOWS\vgssojj.exe
C:\WINDOWS\gunuprm.exe
C:\WINDOWS\nlcp.exe
C:\WINDOWS\ormghjz.exe
C:\WINDOWS\nbpdvziqo.exe
C:\WINDOWS\hvwnklobx.exe
C:\WINDOWS\kcjbp.exe
C:\WINDOWS\xndu.exe
C:\WINDOWS\jhojdik.exe
C:\WINDOWS\mmgjyo.exe
C:\WINDOWS\dtwl.exe
C:\WINDOWS\xywq.exe
C:\WINDOWS\ctzmhdjaz.exe
C:\WINDOWS\yugl.exe
C:\WINDOWS\mzmonewo.exe
C:\WINDOWS\msaqzomn.exe
C:\WINDOWS\ptlpn.exe
C:\WINDOWS\wmxm.exe
C:\WINDOWS\ouwyrvs.exe
C:\WINDOWS\uvpfkvc.exe
C:\WINDOWS\votzs.exe
C:\WINDOWS\hicszc.exe
C:\WINDOWS\cpgmbpt.exe
C:\WINDOWS\reffzsqdx.exe
C:\WINDOWS\bnzxbxtu.exe
C:\WINDOWS\ajddcn.exe
C:\WINDOWS\uzqnh.exe
C:\WINDOWS\zqakvamr.exe
C:\WINDOWS\sxugpq.exe
C:\WINDOWS\lcctzwvr.exe
C:\WINDOWS\iztcxfoi.exe
---
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

[b]Reboot
your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. :D
  • 0

#3
kalbright

kalbright

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
First, let me say THANK YOU, THANK YOU, THANK YOU!!!. My system is running much better now. However, I'm not sure it is totally clean. Per your instructions, I scanned my computer again with Hijack This, and deleted everything you told me to, when I could. Two objects that appeared in my first scan (and which you told me to delete) did not show up in my second scan. They were as follows:

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

Upon closing Hijack This I did get a message telling me to remove webhancer with Adaware, which I did.

When cleaning all of the random files out of the windows folder, I found alot more that look VERY suspicious and I think should be deleted, although I did not delete any of them. They have all been modified (but not by me) withing the last 5 days since my problems began. They include the following applications and configuration settings:

randseed.rnd (type listed as PGP Random Seed)
prelimhanse.exe
cpr_mm2.exe
ast_4_mm.exe
cpruninst.exe
curgsi.exe
artmmp.ini
dgyjia.exe
zybly.exe
sahagent-mediamotor1001.exe
whCC-MOTOR.exe
unstall.exe.
usta32.ini
whInstaller.ini
mm30.ocx (type listed as ActiveX control)

There are also various text documents that I am not listing here.

I also was unable to delete several files from my temporary internet folder, even though they look innocuous (e.g. a gif from Walmart).

Below is a copy of my latest Hijackthis Log - Please advise where I should go from here and whether I should delete all of the files listed above (I KNOW the sahagent and whCC-MOTOR files are problems, and had been listed in prior McAfee scans as being infected). Also, assume I did not empty my recycling bin just in case - assume it is safe to do so?? Here is the log - thanks in advance for your continued help!
Logfile of HijackThis v1.97.7
Scan saved at 4:49:45 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\PGP for Windows XP\PGPservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud16.sports....lgcst1006_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7614.5133449074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Not all those files are bad, but some are certainly suspicious.

Please run a free online virus scan here:
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Also disable and then re-enable your system retore to clear any restore points. Some of these files may be hidden in a restore file.

The good news is that your log is clean. So while you may have some remnants of Malware on your system, it doesn't seem to be affecting now. <_<
  • 0

#5
kalbright

kalbright

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Just want to say THANK YOU again. GEEKS RULE! I did go to both websites you recommended and ran a system scan. While no virus's were found, there was indeed a trojan - Mysearchbar. Things seem to be fine with my system now. I could not have gotten back to working order without your help. I am grateful that folks like you are willing to provide such a valuable service. I will defintely send in a donation.
  • 0

#6
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP