[Kat]

thakid, please refrain from trying to post 'help' in other people's threads. The advice you were giving was incomplete, and even incorrect. Stick to your thread, and let rock get your issues resolved. then, if you wish to try and learn to help others, you can join GeekU to begin training!
Thanks

[Advertisements]

ok n sorry

[thakid]

ok n sorry

[therock247uk]

1. Press Ctrl + Alt + Delete on your keyboard and select task manager select the process and end task it GLB6.tmp Then go to C:\Documents and Settings\JERIMI~1\Local Settings\Temp\ and delete GLB6.tmp or you can delete all files there.

2. Right click the folder C:\Program Files\usqwsptx and make sure its not read only, archive and hidden then delete the folder.

3. Then open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis leaving Hijackthis the only program open.

O4 - HKLM\..\Run: [QYVHYkEx] C:\PROGRA~1\usqwsptx\GMgCA4BN.exe

4. Then post a new Hijackthis log here in a reply.

[thakid]

there is no GLB6.tmp in the process area

[therock247uk]

Ok see if you can find the file and delete it.

[thakid]

I got rid of everything in my temp folder and it is not there I did a computer search for it

Edited by thakid, 13 May 2005 - 02:01 PM.

[therock247uk]

Ok do the other steps i said then post a new log.

[thakid]

ok well I tryed to get rid of the "q" folder but it said I cant so here is a new hjt log and a slience runner log -----



Logfile of HijackThis v1.99.1
Scan saved at 4:01:01 PM, on 5/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\Documents and Settings\jerimie piccola\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [QYVHYkEx] C:\PROGRA~1\usqwsptx\GMgCA4BN.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0c\AOL.EXE" -b
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\jerimie piccola\Desktop\HijackThis.exe /startupscan
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\Messenger\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\Messenger\YPager.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadt...pcpowerscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...484/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe




--------------------------------------------------------------------------------------------------
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"AOL Fast Start" = ""C:\Program Files\America Online 9.0c\AOL.EXE" -b" ["America Online, Inc."]
"HijackThis startup scan" = "C:\Documents and Settings\jerimie piccola\Desktop\HijackThis.exe /startupscan" ["Soeperman Enterprises Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"QYVHYkEx" = "C:\PROGRA~1\usqwsptx\GMgCA4BN.exe" [file not found]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" ["McAfee, Inc"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\McAgent.exe" ["McAfee, Inc"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AOL Spyware Protection" = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [null data]
"RegistryMechanic" = "C:\Program Files\Registry Mechanic\regmech.exe /S" ["PCTools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "*b" (unwritable string) [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow! Plus\shlext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{80B24180-4EFB-11D3-A99A-00A024DDB436}" = "iolo Incinerator Properties Pages"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\incinerator.dll" ["iolo technologies, LLC"]
"{E07111B5-44B3-4DD6-B77E-1FA21F1F3A37}" = "iolo Context Defrag"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\iolo\System Mechanic 5\CONTEXTDEFRAG.DLL" ["iolo technologies, LLC"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\jerimie piccola\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Scheduled Tasks:
------------------------

"McAfee.com Update Check (D6HW2R61-Owner)" -> launches: "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee.com Update Check (HOME-jerimie piccola)" -> launches: "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee.com Update Check (HOME-tharock)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "Yahoo! Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\PROGRA~1\Yahoo!\Messenger\YPager.exe" ["Yahoo! Inc."]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "%SystemRoot%\System32\drivers\etc"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online"]
AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe" ["McAfee Corporation"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["Network Associates, Inc."]
McAfee.com VirusScan Online Realtime Engine, MCVSRte, "c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding" ["Networks Associates Technology, Inc"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

[therock247uk]

Find the folder C:\Program Files\usqwsptx right click on it and tell me the propertise if its read only or not etc.

[thakid]

it is a .exe and a dat. file and it is locked as a read only

Edited by thakid, 13 May 2005 - 02:43 PM.

[therock247uk]

1. Send all of them files in an attachment to submit here then right click them files and remove the read only part then delete the hole folder.

2. Then open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [QYVHYkEx] C:\PROGRA~1\usqwsptx\GMgCA4BN.exe

3. Then post a new Hijackthis log here in a reply.

[thakid]

I gotcha now took a min sorry lol

Edited by thakid, 13 May 2005 - 03:00 PM.

[thakid]

ok I sent it to the sumbit here e-mail addy that you told me to------
when I try to get rid of it it says " make sure it is not write protected or in use "

Edited by thakid, 13 May 2005 - 03:04 PM.

[therock247uk]

Let try this then I need you to go here:
The Spy Killer Forum

*Click on "New Topic"
*Put your name, e-mail address, and this as the title: "C:\Program Files\usqwsptx\GMgCA4BN.exe
"
*Put a link to this geeks to go topic in the description box.
*Then next to the file box. at the bottom, click the "browse" button, then navigate to this file:

C:\Program Files\usqwsptx\GMgCA4BN.exe

*Press "Open".
*Click "Post".

[thakid]

ok done