Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan_SpyHTMLsmithfraudc[RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Yeah, that's why I was asking if you followed all of the directions about smitfraud in that link.... You deleted the files, now we just have to get your desktop back which is no problem at all.

Open Notepad. Copy EVERYTHING in the code box below and paste it into a new notepad file. Change the 'Save As Type' to "All Files" and save it as fix.reg on your desktop. Make sure there is NO blank line above REGEDIT4:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"Wallpaper"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-

Locate fix.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", reboot your computer and you will now be able to change your background.
  • 0

Advertisements


#17
Bojangles01

Bojangles01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you So much for this Bananafanafo. I really apreciate your help.

My other computer is suffering the same problem but i wont hassle you with that now... lol
  • 0

#18
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome! ;)

Hey if you need another machine cleaned feel free to post the log and I'll help you clean it too! It's no hassle :tazz:
  • 0

#19
Bojangles01

Bojangles01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hey Banana... (Hmmm, doesnt sound right lol)
Here's the log for the other computer. It's my brother's and he knows buggerall about compuers. But from what i can tell it's quite brutal...

Logfile of HijackThis v1.99.1
Scan saved at 11:29:58 PM, on 18/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\Documents and Settings\user\Application Data\euur.exe
C:\windows\ahfevwl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\system32\init32m.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ACCOUN~1\DATART~1.SCR
C:\WINDOWS\System32\msswch.exe
C:\WINDOWS\system32\sdkbb.exe
C:\WINDOWS\system32\msrj32.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jjubw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jjubw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jjubw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jjubw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jjubw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jjubw.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jjubw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {24E3BE10-F69B-E844-6C5C-4F99122C2344} - C:\WINDOWS\system32\netqs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B61E927A-D067-CFD1-E7D7-F23F33ADD314} - C:\WINDOWS\system32\msjo.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F3.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\F3.tmp.exe 3 10001
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [winsa.exe] C:\WINDOWS\system32\winsa.exe
O4 - HKLM\..\Run: [sdkbb.exe] C:\WINDOWS\system32\sdkbb.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [msswch] C:\WINDOWS\System32\msswch.exe
O4 - HKCU\..\Run: [Iar] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [Clts] C:\Documents and Settings\user\Application Data\euur.exe
O4 - HKCU\..\Run: [hgwspde] c:\windows\csxcprx.exe
O4 - HKCU\..\Run: [tqgpixk] c:\windows\vdysgoe.exe
O4 - HKCU\..\Run: [iwnwwbd] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [vjrslum] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [ikmypwy] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [vxkwwkq] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [fiktkfa] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [gdfqlhl] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [aspigya] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [ovelgby] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [robiynb] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [lkinnqb] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [nfieqsw] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [rgxvxgd] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [expcqjr] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [kmqquqn] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [bjncama] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [qslfoqn] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [okhwoec] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [sshthiv] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [hpvcmpa] c:\windows\ahfevwl.exe
O4 - HKCU\..\Run: [tteygpi] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [svydbou] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [hjkqsyb] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [bkvwsmg] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [rvjggmw] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [rxvmmmq] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [vutiyrj] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [fnqefcc] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [hhvntly] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [cmxdpei] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [vgwilcx] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [hoqxurw] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [qlhnwvk] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [xwjmyqc] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [pnhlptu] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [swufuah] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [qleybsx] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [qrhlhnk] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [lhxpcve] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [usciqiv] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [lgrbnff] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [fumxvef] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [cfsrvxb] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [jffxdsw] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [uxngoec] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [xxvyvff] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [yreyowx] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [nmgymxp] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [pnbesuk] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [wgvlpjd] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [mfsxtwh] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [hkbllwj] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [lenangd] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [rvittlx] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [kldqelo] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [bprwrkf] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [mfboqlw] c:\windows\dkpyeho.exe
O4 - HKCU\..\Run: [ifogqsg] c:\windows\dkpyeho.exe
O4 - HKCU\..\Run: [uonhvtb] c:\windows\kywhbyq.exe
O4 - HKCU\..\Run: [gthuvhs] c:\windows\kywhbyq.exe
O4 - HKCU\..\Run: [ywmpvir] c:\windows\ficmcqj.exe
O4 - HKCU\..\Run: [eotyimu] c:\windows\ficmcqj.exe
O4 - HKCU\..\Run: [bekldwx] c:\windows\ficmcqj.exe
O4 - HKCU\..\Run: [ucovopk] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [bundirs] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [foibfuf] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [aokonew] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [mfvoahi] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [xhcfojh] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [ciiraao] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [lpdgolh] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [kemqtoa] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [iugigem] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [mcngiif] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [ahexojl] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [updlhjw] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [qmfxhuh] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [xdjmxbg] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [vdhtniv] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [qpvigou] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [mrollch] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [kfwutjb] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [qrgqdpl] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [vfefxhu] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [sgxwiqx] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [etrkvvj] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [ysydlxo] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [imhjcse] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [pvtnagp] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [yxcbowm] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [juefpgl] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [jsyrxan] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [yleqwcv] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [lnytnim] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [ghdawrq] c:\windows\jttnrqw.exe
O4 - HKCU\..\Run: [yltuccd] c:\windows\rbegqdi.exe
O4 - HKCU\..\Run: [kxluxaw] c:\windows\jttnrqw.exe
O4 - HKCU\..\Run: [qxmekys] c:\windows\rbegqdi.exe
O4 - HKCU\..\Run: [nhvxycy] c:\windows\omxnknv.exe
O4 - HKCU\..\Run: [ewbnvdn] c:\windows\omxnknv.exe
O4 - HKCU\..\Run: [cuedtmf] c:\windows\omxnknv.exe
O4 - HKCU\..\Run: [mncuefl] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [gysnchj] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [gyvyxur] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [okokemd] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [jbsailf] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [uixavln] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [wvasgth] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [ufwnayt] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [gnvygua] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [jeeohpa] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [hsdvmqo] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [uumcjgf] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [qmvhmug] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [psavoue] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [reyvmpt] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [efsefph] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [bwwydak] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [plbeilw] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [rhpkvrl] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [sqfrhvc] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [qpgwuom] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [wydqotc] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [dtekmlx] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [xhykigi] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [khtpqdl] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [iqaqqwy] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [cdwiyrq] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [iuhjwba] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [bajwfio] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [dhrpedu] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [vuvhceo] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [dlcbxug] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [axkabsj] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ttdcehx] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [jwieylh] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [yiyqmna] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [nxualxb] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [tbnvppo] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [fxhkfof] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [jwhrpxx] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [scgkhdb] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ggutpre] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [frhduwi] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ijgwdiq] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [yprjswn] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [uylcnan] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ljfogbi] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [xlrhben] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [frfravh] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [lvylsij] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [kmdgild] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [aiakhoy] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [qxfcaja] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [hygyjin] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ugovauh] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [vonbimm] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [oypubqm] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [dkowbxb] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [byriwpv] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ugogbpx] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [vrdvolt] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [mctwdvu] c:\windows\csmfubs.exe
O4 - HKCU\..\Run: [rmhyirs] c:\windows\csmfubs.exe
O4 - HKCU\..\Run: [gogkcqo] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [qgyfeat] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [velhygy] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [amtpjly] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [yoogmdn] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [wrcnktm] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [eyudrgp] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [vkojamy] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [hqvkfyj] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [bytnvbs] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [vkbeiyy] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [qunlayn] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [rvxufow] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [gwssnbp] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [chfdsrp] c:\windows\jxkkatv.exe
O4 - HKCU\..\Run: [kokkcdj] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [ficglvs] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [nxtbpfs] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [ahfqaer] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [hoxdnmt] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [uygsmqy] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [fgvrdyq] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ypldafy] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [wjnhfro] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [kxejntr] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [sdoocqj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ouojyln] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [lwoqaio] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [lxggdsp] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [snidsbs] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [tsnxgjg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [yuirqoi] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [kdefmbn] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ahtcykm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [niphwct] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [jxejvat] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [jbdfpnl] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [uxnrouj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [juxedlq] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [rxevaxx] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [acnowvc] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ugwywup] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [idxtglv] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ucvpiuk] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [pmebjih] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ecawbde] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [curtmed] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [oegolgy] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [vuudopl] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [hxpnpjj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [qqmtafq] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [owrmqlv] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [wrrejiw] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [yqcfsog] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [njgfxrc] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [cqywqeg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [forrxvj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [cdivyex] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [kfvtcpj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [fiympbp] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ogbguvp] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [sbvxhjg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [itrlbra] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [oubgboj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ytqcqbm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [cojvycx] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [orbveem] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [huinssd] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [pxoxjys] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [kwdcnmh] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [jdoehgt] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [dnlirnd] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [sbjivod] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [taohssn] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [hrqqxas] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [fgppcyv] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [psrxcwd] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [gnnpkod] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [qcxoyxm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [yekggig] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [pimkati] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [udttnhj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [vqrlvqa] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [gayilii] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [wvsakoq] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [bklhaav] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [feijirl] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [bqljbll] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [npplawa] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [jnlquss] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [tntakbp] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [owrlfsa] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [isdefdr] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [vwyqpvg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ilwxlai] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [fdikbno] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [xdkodgt] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [buvgctg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [mdaswqb] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [hdncjdm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [myhhpno] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [dgbcovm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [lvgfjtb] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [glckvmi] c:\windows\krsxtjo.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {8A7A35AA-A98B-4B54-A779-92EB6BF74B96} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8A7A35AA-A98B-4B54-A779-92EB6BF74B96} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymen...ild/vbiewer.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...f929022230ec0b6
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.75tz.com/codac/inst2_ax.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {C42003AC-64F5-4747-A6BF-A9D68153085F} (Vyuer Class) - http://192.168.254.1/sentry24.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\msrj32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

P.s.. Im so grateful that i plan to donate!
  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Quite brutal, indeed! It's going to take me a little while to go over that one! :tazz:
  • 0

#21
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
First, Right-Click HERE and Save As (in IE it's 'Save Target As') to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

c:\windows\csxcprx.exe
c:\windows\vdysgoe.exe
c:\windows\tlkosub.exe
c:\windows\cfmjwmb.exe
c:\windows\ahfevwl.exe
c:\windows\krgnxng.exe
c:\windows\uceiacd.exe
c:\windows\dkpyeho.exe
c:\windows\kywhbyq.exe
c:\windows\ficmcqj.exe
c:\windows\bstjwhk.exe
c:\windows\nrbifgd.exe
c:\windows\ygjeqwt.exe
c:\windows\jttnrqw.exe
c:\windows\rbegqdi.exe
c:\windows\omxnknv.exe
c:\windows\jfsamwc.exe
c:\windows\cxqbhxq.exe
c:\windows\csmfubs.exe
c:\windows\vmnlfas.exe
c:\windows\jxkkatv.exe
c:\windows\ysrukfc.exe
c:\windows\krsxtjo.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. Click NO when it asks if you want to "Reboot Now?"
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
AFTER following the instructions in post #21, do this:

Run HiJackThis. Place a check next to the below items and click FIX CHECKED:

O4 - HKCU\..\Run: [hgwspde] c:\windows\csxcprx.exe
O4 - HKCU\..\Run: [tqgpixk] c:\windows\vdysgoe.exe
O4 - HKCU\..\Run: [iwnwwbd] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [vjrslum] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [ikmypwy] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [vxkwwkq] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [fiktkfa] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [gdfqlhl] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [aspigya] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [ovelgby] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [robiynb] c:\windows\tlkosub.exe
O4 - HKCU\..\Run: [lkinnqb] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [nfieqsw] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [rgxvxgd] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [expcqjr] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [kmqquqn] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [bjncama] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [qslfoqn] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [okhwoec] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [sshthiv] c:\windows\cfmjwmb.exe
O4 - HKCU\..\Run: [hpvcmpa] c:\windows\ahfevwl.exe
O4 - HKCU\..\Run: [tteygpi] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [svydbou] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [hjkqsyb] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [bkvwsmg] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [rvjggmw] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [rxvmmmq] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [vutiyrj] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [fnqefcc] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [hhvntly] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [cmxdpei] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [vgwilcx] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [hoqxurw] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [qlhnwvk] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [xwjmyqc] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [pnhlptu] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [swufuah] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [qleybsx] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [qrhlhnk] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [lhxpcve] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [usciqiv] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [lgrbnff] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [fumxvef] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [cfsrvxb] c:\windows\krgnxng.exe
O4 - HKCU\..\Run: [jffxdsw] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [uxngoec] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [xxvyvff] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [yreyowx] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [nmgymxp] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [pnbesuk] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [wgvlpjd] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [mfsxtwh] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [hkbllwj] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [lenangd] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [rvittlx] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [kldqelo] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [bprwrkf] c:\windows\uceiacd.exe
O4 - HKCU\..\Run: [mfboqlw] c:\windows\dkpyeho.exe
O4 - HKCU\..\Run: [ifogqsg] c:\windows\dkpyeho.exe
O4 - HKCU\..\Run: [uonhvtb] c:\windows\kywhbyq.exe
O4 - HKCU\..\Run: [gthuvhs] c:\windows\kywhbyq.exe
O4 - HKCU\..\Run: [ywmpvir] c:\windows\ficmcqj.exe
O4 - HKCU\..\Run: [eotyimu] c:\windows\ficmcqj.exe
O4 - HKCU\..\Run: [bekldwx] c:\windows\ficmcqj.exe
O4 - HKCU\..\Run: [ucovopk] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [bundirs] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [foibfuf] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [aokonew] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [mfvoahi] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [xhcfojh] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [ciiraao] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [lpdgolh] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [kemqtoa] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [iugigem] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [mcngiif] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [ahexojl] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [updlhjw] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [qmfxhuh] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [xdjmxbg] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [vdhtniv] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [qpvigou] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [mrollch] c:\windows\bstjwhk.exe
O4 - HKCU\..\Run: [kfwutjb] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [qrgqdpl] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [vfefxhu] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [sgxwiqx] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [etrkvvj] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [ysydlxo] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [imhjcse] c:\windows\nrbifgd.exe
O4 - HKCU\..\Run: [pvtnagp] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [yxcbowm] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [juefpgl] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [jsyrxan] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [yleqwcv] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [lnytnim] c:\windows\ygjeqwt.exe
O4 - HKCU\..\Run: [ghdawrq] c:\windows\jttnrqw.exe
O4 - HKCU\..\Run: [yltuccd] c:\windows\rbegqdi.exe
O4 - HKCU\..\Run: [kxluxaw] c:\windows\jttnrqw.exe
O4 - HKCU\..\Run: [qxmekys] c:\windows\rbegqdi.exe
O4 - HKCU\..\Run: [nhvxycy] c:\windows\omxnknv.exe
O4 - HKCU\..\Run: [ewbnvdn] c:\windows\omxnknv.exe
O4 - HKCU\..\Run: [cuedtmf] c:\windows\omxnknv.exe
O4 - HKCU\..\Run: [mncuefl] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [gysnchj] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [gyvyxur] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [okokemd] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [jbsailf] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [uixavln] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [wvasgth] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [ufwnayt] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [gnvygua] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [jeeohpa] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [hsdvmqo] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [uumcjgf] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [qmvhmug] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [psavoue] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [reyvmpt] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [efsefph] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [bwwydak] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [plbeilw] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [rhpkvrl] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [sqfrhvc] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [qpgwuom] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [wydqotc] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [dtekmlx] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [xhykigi] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [khtpqdl] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [iqaqqwy] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [cdwiyrq] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [iuhjwba] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [bajwfio] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [dhrpedu] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [vuvhceo] c:\windows\jfsamwc.exe
O4 - HKCU\..\Run: [dlcbxug] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [axkabsj] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ttdcehx] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [jwieylh] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [yiyqmna] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [nxualxb] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [tbnvppo] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [fxhkfof] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [jwhrpxx] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [scgkhdb] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ggutpre] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [frhduwi] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ijgwdiq] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [yprjswn] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [uylcnan] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ljfogbi] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [xlrhben] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [frfravh] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [lvylsij] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [kmdgild] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [aiakhoy] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [qxfcaja] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [hygyjin] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ugovauh] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [vonbimm] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [oypubqm] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [dkowbxb] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [byriwpv] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [ugogbpx] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [vrdvolt] c:\windows\cxqbhxq.exe
O4 - HKCU\..\Run: [mctwdvu] c:\windows\csmfubs.exe
O4 - HKCU\..\Run: [rmhyirs] c:\windows\csmfubs.exe
O4 - HKCU\..\Run: [gogkcqo] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [qgyfeat] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [velhygy] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [amtpjly] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [yoogmdn] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [wrcnktm] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [eyudrgp] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [vkojamy] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [hqvkfyj] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [bytnvbs] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [vkbeiyy] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [qunlayn] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [rvxufow] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [gwssnbp] c:\windows\vmnlfas.exe
O4 - HKCU\..\Run: [chfdsrp] c:\windows\jxkkatv.exe
O4 - HKCU\..\Run: [kokkcdj] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [ficglvs] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [nxtbpfs] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [ahfqaer] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [hoxdnmt] c:\windows\ysrukfc.exe
O4 - HKCU\..\Run: [uygsmqy] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [fgvrdyq] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ypldafy] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [wjnhfro] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [kxejntr] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [sdoocqj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ouojyln] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [lwoqaio] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [lxggdsp] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [snidsbs] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [tsnxgjg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [yuirqoi] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [kdefmbn] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ahtcykm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [niphwct] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [jxejvat] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [jbdfpnl] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [uxnrouj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [juxedlq] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [rxevaxx] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [acnowvc] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ugwywup] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [idxtglv] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ucvpiuk] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [pmebjih] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ecawbde] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [curtmed] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [oegolgy] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [vuudopl] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [hxpnpjj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [qqmtafq] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [owrmqlv] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [wrrejiw] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [yqcfsog] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [njgfxrc] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [cqywqeg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [forrxvj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [cdivyex] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [kfvtcpj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [fiympbp] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ogbguvp] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [sbvxhjg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [itrlbra] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [oubgboj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ytqcqbm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [cojvycx] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [orbveem] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [huinssd] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [pxoxjys] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [kwdcnmh] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [jdoehgt] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [dnlirnd] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [sbjivod] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [taohssn] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [hrqqxas] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [fgppcyv] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [psrxcwd] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [gnnpkod] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [qcxoyxm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [yekggig] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [pimkati] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [udttnhj] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [vqrlvqa] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [gayilii] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [wvsakoq] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [bklhaav] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [feijirl] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [bqljbll] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [npplawa] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [jnlquss] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [tntakbp] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [owrlfsa] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [isdefdr] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [vwyqpvg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [ilwxlai] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [fdikbno] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [xdkodgt] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [buvgctg] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [mdaswqb] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [hdncjdm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [myhhpno] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [dgbcovm] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [lvgfjtb] c:\windows\krsxtjo.exe
O4 - HKCU\..\Run: [glckvmi] c:\windows\krsxtjo.exe


Close HiJackThis. Reboot and post a new HiJackThis log.
  • 0

#23
Bojangles01

Bojangles01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here we are:

Logfile of HijackThis v1.99.1
Scan saved at 2:57:39 PM, on 19/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msrj32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\system32\sdkbb.exe
C:\WINDOWS\System32\Services\{7E551CB7-8F3B-4EAB-BD28-9774F9E7EFFB}\SVCHOST.EXE
C:\WINDOWS\System32\msswch.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\Documents and Settings\user\Application Data\euur.exe
C:\WINDOWS\System32\win32.exe
C:\windows\ftsvltb.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\system32\init32m.exe
C:\sys.exe
C:\Documents and Settings\user\My Documents\Desktop\HijackThis.exe
C:\WINDOWS\sys5728.exe
C:\WINDOWS\System32\latest.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qlwvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qlwvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qlwvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qlwvs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {24E3BE10-F69B-E844-6C5C-4F99122C2344} - C:\WINDOWS\system32\netqs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F3.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\F3.tmp.exe 3 10001
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [winsa.exe] C:\WINDOWS\system32\winsa.exe
O4 - HKLM\..\Run: [sdkbb.exe] C:\WINDOWS\system32\sdkbb.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{9A85B4EB-60B7-452C-AAE7-7955BD6AF8F3}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{7E551CB7-8F3B-4EAB-BD28-9774F9E7EFFB}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [msswch] C:\WINDOWS\System32\msswch.exe
O4 - HKCU\..\Run: [Iar] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [Clts] C:\Documents and Settings\user\Application Data\euur.exe
O4 - HKCU\..\Run: [cuedtmf] c:\windows\omxnknv.exe
O4 - HKCU\..\Run: [wmmgefu] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [hwuurtb] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [dgmskac] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [nuowvpb] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [nvpbbdt] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [xxhilew] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [ywtcplq] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [srieino] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [ycqtxbx] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [vcrxwwy] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [rlgmvlb] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [ibhhshb] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [bxtnfhq] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [guvmrgd] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [cpbtyur] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [wjsvuky] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [wybliut] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [nemolxw] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [ngwvyom] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [uwlckar] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [ewwqyto] c:\windows\jevygbp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {8A7A35AA-A98B-4B54-A779-92EB6BF74B96} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8A7A35AA-A98B-4B54-A779-92EB6BF74B96} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymen...ild/vbiewer.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...f929022230ec0b6
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.75tz.com/codac/inst2_ax.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {C42003AC-64F5-4747-A6BF-A9D68153085F} (Vyuer Class) - http://192.168.254.1/sentry24.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O21 - SSODL: System - {FE06EAA1-A2B1-4CC1-ADE8-4F75040BD0B4} - vr_sys.dll (file missing)
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\msrj32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Im not actually sure if the DelDomains thing worked though. i clicked INSTALL and nothing really happened..
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You did DelDomains perfectly :tazz:

First, I need you to right click on the desktop and go to New > Folder - click on it and name it whatever you want. Locate HiJackThis.exe on the desktop right click on it and go to "cut", then go into the folder you just made and click "paste". This is to ensure backups are saved and accessible.

Next, I need you to download LSPFix from http://www.cexx.org/lspfix.htm Disconnect from the Internet, close all Internet Explorer Windows, and run the program. Check the "I know what I'm doing" Button and remove all traces of:

flsmngr.dll

Be very careful that you only remove this file otherwise you will lose Internet!

Then, Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Workstation NetLogon Service (or 11F#`I)
ZESOFT

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy & paste!):

11F#`I

*IMPORTANT NOTE* Make sure there is a SPACE before the first "1" otherwise it won't work!

Click OK.

It should pull up information about the service, when it asks if you want to reboot now, Click NO.

Do the same thing for:

ZESOFT

When it asks if you want to reboot now click NO.

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

c:\windows\ftsvltb.exe
c:\windows\jjlldke.exe
c:\windows\jevygbp.exe
c:\windows\omxnknv.exe
c:\windows\ftsvltb.exe
C:\WINDOWS\System32\win32.exe
C:\Documents and Settings\user\Application Data\euur.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\WINDOWS\System32\msswch.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\system32\sdkbb.exe
C:\WINDOWS\system32\winsa.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\sys.exe
C:\WINDOWS\system32\msrj32.exe
C:\WINDOWS\qlwvs.dll


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.When it asks if you want to reboot now, click NO.

(I'll post the rest of the instructions in the next post otherwise it might get cut off!)

  • 0

#25
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qlwvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qlwvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qlwvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qlwvs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: Class - {24E3BE10-F69B-E844-6C5C-4F99122C2344} - C:\WINDOWS\system32\netqs.dll

O4 - HKLM\..\Run: [F3.tmp] C:\DOCUME~1\user\LOCALS~1\Temp\F3.tmp.exe 3 10001
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [winsa.exe] C:\WINDOWS\system32\winsa.exe
O4 - HKLM\..\Run: [sdkbb.exe] C:\WINDOWS\system32\sdkbb.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [msswch] C:\WINDOWS\System32\msswch.exe
O4 - HKCU\..\Run: [Iar] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [Clts] C:\Documents and Settings\user\Application Data\euur.exe
O4 - HKCU\..\Run: [cuedtmf] c:\windows\omxnknv.exe
O4 - HKCU\..\Run: [wmmgefu] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [hwuurtb] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [dgmskac] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [nuowvpb] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [nvpbbdt] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [xxhilew] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [ywtcplq] c:\windows\ftsvltb.exe
O4 - HKCU\..\Run: [srieino] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [ycqtxbx] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [vcrxwwy] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [rlgmvlb] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [ibhhshb] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [bxtnfhq] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [guvmrgd] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [cpbtyur] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [wjsvuky] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [wybliut] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [nemolxw] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [ngwvyom] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [uwlckar] c:\windows\jjlldke.exe
O4 - HKCU\..\Run: [ewwqyto] c:\windows\jevygbp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {8A7A35AA-A98B-4B54-A779-92EB6BF74B96} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8A7A35AA-A98B-4B54-A779-92EB6BF74B96} - (no file) (HKCU)

O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymen...ild/vbiewer.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...f929022230ec0b6
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.75tz.com/codac/inst2_ax.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {C42003AC-64F5-4747-A6BF-A9D68153085F} (Vyuer Class) - http://192.168.254.1/sentry24.cab

O21 - SSODL: System - {FE06EAA1-A2B1-4CC1-ADE8-4F75040BD0B4} - vr_sys.dll (file missing)


Close HiJackThis.

Whew! Finally, reboot and post a new HiJackThis log!
  • 0

Advertisements


#26
Bojangles01

Bojangles01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here we go...

Logfile of HijackThis v1.99.1
Scan saved at 12:45:47 PM, on 20/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\Services\{B436114A-3662-4513-884D-B11A8FF8ECF7}\SVCHOST.EXE
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\system32\sdkbb.exe
C:\windows\jevygbp.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\system32\msrj32.exe
C:\Documents and Settings\user\My Documents\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qdeue.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qdeue.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qdeue.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qdeue.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qdeue.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qdeue.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qdeue.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D004E055-EAD3-9ADC-932F-7B5098BC94CC} - C:\WINDOWS\system32\apibf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ycrdprq] c:\windows\jevygbp.exe
O4 - HKCU\..\Run: [aqucgty] c:\windows\jevygbp.exe
O4 - HKCU\..\Run: [evtcrdq] c:\windows\jevygbp.exe
O4 - HKCU\..\Run: [ogyjscj] c:\windows\jevygbp.exe
O4 - HKCU\..\Run: [xxsrust] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [tmurqua] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [nkgajmc] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [pwjsumo] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [spuvyxh] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [mvhykkd] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [xnavvxm] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [lclyhua] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [ouxqkdu] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [bpdwmft] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [mnwqlke] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [hvgcytj] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [ygodarq] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [oqohlhw] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [yekfdnb] c:\windows\wcseina.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\msrj32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe

...

I deleted ZESOFT ok, but when i went to delete 11F#`I it said that it wasnt in the registry....
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
11F#`I is there you have to make sure there is a SPACE before the first 1 otherwise it won't work!

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Workstation NetLogon Service (or 11F#`I)

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy & paste!):

11F#`I

*IMPORTANT NOTE* Make sure there is a SPACE before the first "1" otherwise it won't work!

Click OK.

It should pull up information about the service, when it asks if you want to reboot now, Click NO.

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

c:\windows\jevygbp.exe
c:\windows\buquqlm.exe
c:\windows\wcseina.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\system32\sdkbb.exe
C:\WINDOWS\system32\msrj32.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.When it asks if you want to reboot now, click NO.

Run HiJackThis and place a check next to these items and click FIX CHECKED:

O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ycrdprq] c:\windows\jevygbp.exe
O4 - HKCU\..\Run: [aqucgty] c:\windows\jevygbp.exe
O4 - HKCU\..\Run: [evtcrdq] c:\windows\jevygbp.exe
O4 - HKCU\..\Run: [ogyjscj] c:\windows\jevygbp.exe
O4 - HKCU\..\Run: [xxsrust] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [tmurqua] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [nkgajmc] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [pwjsumo] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [spuvyxh] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [mvhykkd] c:\windows\buquqlm.exe
O4 - HKCU\..\Run: [xnavvxm] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [lclyhua] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [ouxqkdu] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [bpdwmft] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [mnwqlke] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [hvgcytj] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [ygodarq] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [oqohlhw] c:\windows\wcseina.exe
O4 - HKCU\..\Run: [yekfdnb] c:\windows\wcseina.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe


Close HiJackThis. Reboot and post a new HJT log.

Edited by bananafanafo, 19 May 2005 - 09:11 PM.

  • 0

#28
Bojangles01

Bojangles01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks for that...
Here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 12:06:24 PM, on 22/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mfcth.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\Services\{C1E411F4-4111-4EBE-8433-55B37F63571F}\SVCHOST.EXE
C:\WINDOWS\system32\atlpw.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {6A7061F5-6826-16E3-8EDB-11BA52374285} - C:\WINDOWS\system32\sdkgb32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ytcovhq] c:\windows\nlkdtfn.exe
O4 - HKCU\..\Run: [guxmhjd] c:\windows\pndauug.exe
O4 - HKCU\..\Run: [etcmwuw] c:\windows\mnnxrst.exe
O4 - HKCU\..\Run: [lwrbiaa] c:\windows\hlpatls.exe
O4 - HKCU\..\Run: [cjvtjuw] c:\windows\nlkdtfn.exe
O4 - HKCU\..\Run: [nebtaep] c:\windows\pndauug.exe
O4 - HKCU\..\Run: [vifrwcn] c:\windows\mnnxrst.exe
O4 - HKCU\..\Run: [ferijgn] c:\windows\hlpatls.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mfcth.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We're getting closer! Slowly, but surely.

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

c:\windows\nlkdtfn.exe
c:\windows\pndauug.exe
c:\windows\mnnxrst.exe
c:\windows\hlpatls.exe
C:\WINDOWS\system32\sdkgb32.dll
C:\WINDOWS\emtsf.dll
C:\WINDOWS\system32\atlpw.exe
C:\WINDOWS\system32\mfcth.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.When it asks if you want to reboot now, click NO.

Run HiJackThis and place a check next to these items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\emtsf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {6A7061F5-6826-16E3-8EDB-11BA52374285} - C:\WINDOWS\system32\sdkgb32.dll

O4 - HKCU\..\Run: [ytcovhq] c:\windows\nlkdtfn.exe
O4 - HKCU\..\Run: [guxmhjd] c:\windows\pndauug.exe
O4 - HKCU\..\Run: [etcmwuw] c:\windows\mnnxrst.exe
O4 - HKCU\..\Run: [lwrbiaa] c:\windows\hlpatls.exe
O4 - HKCU\..\Run: [cjvtjuw] c:\windows\nlkdtfn.exe
O4 - HKCU\..\Run: [nebtaep] c:\windows\pndauug.exe
O4 - HKCU\..\Run: [vifrwcn] c:\windows\mnnxrst.exe
O4 - HKCU\..\Run: [ferijgn] c:\windows\hlpatls.exe


Close HiJackThis.

I need you to do this again as the service is still there, please follow the instructions exactly. If it doesn't work this time we will kill it another way :tazz:

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Workstation NetLogon Service (or 11F#`I)

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy & paste!):

11F#`I

*IMPORTANT NOTE* Make sure there is a SPACE before the first "1" otherwise it won't work!

Click OK.

It should pull up information about the service, when it asks if you want to reboot now, Click YES.

After reboot, post another HiJackThis log.
  • 0

#30
Bojangles01

Bojangles01

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here we go...

Logfile of HijackThis v1.99.1
Scan saved at 9:59:55 PM, on 22/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\Services\{C1E411F4-4111-4EBE-8433-55B37F63571F}\SVCHOST.EXE
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\My Documents\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jpjdx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jpjdx.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jpjdx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jpjdx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jpjdx.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jpjdx.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jpjdx.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {8A5207D6-EB86-B08D-9E2A-E13B6C96570A} - C:\WINDOWS\d3yk32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe

...

Seems that some of that stuff doesn't wanna delete! :tazz:
Evil stuff...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP