Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijackthis Log [RESOLVED]

Started by Pilotman52 , Jun 05 2005 09:04 PM

  • This topic is locked This topic is locked

#1
Pilotman52
Posted 05 June 2005 - 09:04 PM

Pilotman52

    Member

  • Member
  • PipPip
  • 10 posts
Hey Guys,

This is my log that I just finished. I have a bunch of popups, including the Aurora pop ups that I can't seem to get rid of. I ran all the programs that were suggested to help get rid of some things but the popups never stop. Hope some of you can help.

Thanks a lot!

Logfile of HijackThis v1.99.1
Scan saved at 10:51:36 PM, on 6/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\TEMP\sdpgnu.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\m61rce7o\m61rce7o.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\Program Files\m61rce7o\34198879.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\m61rce7o\m61rce7o.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\WINDOWS\system32\xbntur\qjvveusq.exe
c:\windows\system32\zwgoba.exe
C:\WINDOWS\system32\nrxptiiq\psiy.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Patricio\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [pimilb] C:\WINDOWS\system32\hqvh\pimilb.exe
O4 - HKLM\..\Run: [edfy] C:\WINDOWS\system32\xfwfxy\edfy.exe
O4 - HKLM\..\Run: [fhgchlx] C:\WINDOWS\system32\bpebqm\fhgchlx.exe
O4 - HKLM\..\Run: [qtdobulv] C:\WINDOWS\system32\yvweos\qtdobulv.exe
O4 - HKLM\..\Run: [oqggvd] C:\WINDOWS\system32\gmbwycoo\oqggvd.exe
O4 - HKLM\..\Run: [yrluaher] C:\WINDOWS\system32\hkouum\yrluaher.exe
O4 - HKLM\..\Run: [jmrs] C:\WINDOWS\system32\vnlwel\jmrs.exe
O4 - HKLM\..\Run: [skyhn] C:\WINDOWS\TEMP\sdpgnu.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wovsykus] C:\WINDOWS\system32\opwlyp\wovsykus.exe
O4 - HKLM\..\Run: [qvmggiq] C:\WINDOWS\system32\rieap\qvmggiq.exe
O4 - HKLM\..\Run: [lydofv] C:\WINDOWS\system32\kkdi\lydofv.exe
O4 - HKLM\..\Run: [Windows Hosts File] WindowsHosts.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [2s4S35l] rmokman.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [oudxijxc] C:\WINDOWS\system32\veagsx\oudxijxc.exe
O4 - HKLM\..\Run: [m61rce7o] C:\Program Files\m61rce7o\m61rce7o.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [fedwbesv] C:\WINDOWS\system32\glmy\fedwbesv.exe
O4 - HKLM\..\Run: [clotoqdw] C:\WINDOWS\system32\clmy\clotoqdw.exe
O4 - HKLM\..\Run: [dkxqvc] C:\WINDOWS\system32\ikmb\dkxqvc.exe
O4 - HKLM\..\Run: [hgrb] C:\WINDOWS\system32\pjciqaej\hgrb.exe
O4 - HKLM\..\Run: [catrnbh] C:\WINDOWS\system32\ckyes\catrnbh.exe
O4 - HKLM\..\Run: [fdfcv] C:\WINDOWS\system32\jhxn\fdfcv.exe
O4 - HKLM\..\Run: [ywuq] C:\WINDOWS\system32\fpspvupu\ywuq.exe
O4 - HKLM\..\Run: [mftqfp] C:\WINDOWS\system32\nruha\mftqfp.exe
O4 - HKLM\..\Run: [ipjkm] C:\WINDOWS\system32\argx\ipjkm.exe
O4 - HKLM\..\Run: [qjvveusq] C:\WINDOWS\system32\xbntur\qjvveusq.exe
O4 - HKLM\..\Run: [SkyH2] C:\WINDOWS\TEMP\aqcap.exe
O4 - HKLM\..\Run: [xgrwfv] c:\windows\system32\zwgoba.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\blxqhqsu.exe
O4 - HKLM\..\Run: [psiy] C:\WINDOWS\system32\nrxptiiq\psiy.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xgqzfl] C:\WINDOWS\system32\m?config.exe
O4 - HKCU\..\Run: [JBv2RRJFW] remwselc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: clotoqdwclmy - Unknown owner - C:\WINDOWS\system32\clmy\clotoqdw.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: fhgchlxbpebqm - Unknown owner - C:\WINDOWS\system32\bpebqm\fhgchlx.exe
O23 - Service: hgrbpjciqaej - Unknown owner - C:\WINDOWS\system32\pjciqaej\hgrb.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: oqggvdgmbwycoo - Unknown owner - C:\WINDOWS\system32\gmbwycoo\oqggvd.exe
O23 - Service: pimilbhqvh - Unknown owner - C:\WINDOWS\system32\hqvh\pimilb.exe
O23 - Service: psiynrxptiiq - Unknown owner - C:\WINDOWS\system32\nrxptiiq\psiy.exe
O23 - Service: qjvveusqxbntur - Unknown owner - C:\WINDOWS\system32\xbntur\qjvveusq.exe
O23 - Service: qvmggiqrieap - Unknown owner - C:\WINDOWS\system32\rieap\qvmggiq.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spistpmbphfvg - Unknown owner - C:\WINDOWS\system32\bphfvg\spistpm.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: wovsykusopwlyp - Unknown owner - C:\WINDOWS\system32\opwlyp\wovsykus.exe
  • 0

Advertisements

#2
Excal
Posted 10 June 2005 - 08:47 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Pilotman52 and welcome to GeeksToGo! My name is Excal and I will be helping you.

If you still need help, please post a fresh Hijack log so I can help you with your Malware Problems.

:tazz:

Excal
  • 0

#3
Pilotman52
Posted 10 June 2005 - 09:07 PM

Pilotman52

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey Excal, thanks for your help!

Here's my newest scan for you:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:45 PM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\xbntur\qjvveusq.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\pjciqaej\hgrb.exe
C:\WINDOWS\system32\pjciqaej\hgrb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\bphfvg\spistpm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\ckyes\catrnbh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\fpspvupu\ywuq.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\m61rce7o\m61rce7o.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ikmb\dkxqvc.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\jhxn\fdfcv.exe
C:\WINDOWS\system32\argx\ipjkm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\m?config.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\windows\system32\oeigbz.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\Program Files\m61rce7o\34198879.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\m61rce7o\m61rce7o.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Patricio\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [pimilb] C:\WINDOWS\system32\hqvh\pimilb.exe
O4 - HKLM\..\Run: [edfy] C:\WINDOWS\system32\xfwfxy\edfy.exe
O4 - HKLM\..\Run: [fhgchlx] C:\WINDOWS\system32\bpebqm\fhgchlx.exe
O4 - HKLM\..\Run: [qtdobulv] C:\WINDOWS\system32\yvweos\qtdobulv.exe
O4 - HKLM\..\Run: [oqggvd] C:\WINDOWS\system32\gmbwycoo\oqggvd.exe
O4 - HKLM\..\Run: [yrluaher] C:\WINDOWS\system32\hkouum\yrluaher.exe
O4 - HKLM\..\Run: [jmrs] C:\WINDOWS\system32\vnlwel\jmrs.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wovsykus] C:\WINDOWS\system32\opwlyp\wovsykus.exe
O4 - HKLM\..\Run: [qvmggiq] C:\WINDOWS\system32\rieap\qvmggiq.exe
O4 - HKLM\..\Run: [lydofv] C:\WINDOWS\system32\kkdi\lydofv.exe
O4 - HKLM\..\Run: [Windows Hosts File] WindowsHosts.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [2s4S35l] rmokman.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [oudxijxc] C:\WINDOWS\system32\veagsx\oudxijxc.exe
O4 - HKLM\..\Run: [m61rce7o] C:\Program Files\m61rce7o\m61rce7o.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [fedwbesv] C:\WINDOWS\system32\glmy\fedwbesv.exe
O4 - HKLM\..\Run: [clotoqdw] C:\WINDOWS\system32\clmy\clotoqdw.exe
O4 - HKLM\..\Run: [dkxqvc] C:\WINDOWS\system32\ikmb\dkxqvc.exe
O4 - HKLM\..\Run: [hgrb] C:\WINDOWS\system32\pjciqaej\hgrb.exe
O4 - HKLM\..\Run: [catrnbh] C:\WINDOWS\system32\ckyes\catrnbh.exe
O4 - HKLM\..\Run: [fdfcv] C:\WINDOWS\system32\jhxn\fdfcv.exe
O4 - HKLM\..\Run: [ywuq] C:\WINDOWS\system32\fpspvupu\ywuq.exe
O4 - HKLM\..\Run: [mftqfp] C:\WINDOWS\system32\nruha\mftqfp.exe
O4 - HKLM\..\Run: [ipjkm] C:\WINDOWS\system32\argx\ipjkm.exe
O4 - HKLM\..\Run: [qjvveusq] C:\WINDOWS\system32\xbntur\qjvveusq.exe
O4 - HKLM\..\Run: [SkyH2] C:\WINDOWS\TEMP\aqcap.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\blxqhqsu.exe
O4 - HKLM\..\Run: [psiy] C:\WINDOWS\system32\nrxptiiq\psiy.exe
O4 - HKLM\..\Run: [spistpm] C:\WINDOWS\system32\bphfvg\spistpm.exe
O4 - HKLM\..\Run: [ppbnonm] c:\windows\system32\oeigbz.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xgqzfl] C:\WINDOWS\system32\m?config.exe
O4 - HKCU\..\Run: [JBv2RRJFW] remwselc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: clotoqdwclmy - Unknown owner - C:\WINDOWS\system32\clmy\clotoqdw.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: fhgchlxbpebqm - Unknown owner - C:\WINDOWS\system32\bpebqm\fhgchlx.exe
O23 - Service: hgrbpjciqaej - Unknown owner - C:\WINDOWS\system32\pjciqaej\hgrb.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: oqggvdgmbwycoo - Unknown owner - C:\WINDOWS\system32\gmbwycoo\oqggvd.exe
O23 - Service: pimilbhqvh - Unknown owner - C:\WINDOWS\system32\hqvh\pimilb.exe
O23 - Service: psiynrxptiiq - Unknown owner - C:\WINDOWS\system32\nrxptiiq\psiy.exe
O23 - Service: qjvveusqxbntur - Unknown owner - C:\WINDOWS\system32\xbntur\qjvveusq.exe
O23 - Service: qvmggiqrieap - Unknown owner - C:\WINDOWS\system32\rieap\qvmggiq.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spistpmbphfvg - Unknown owner - C:\WINDOWS\system32\bphfvg\spistpm.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: wovsykusopwlyp - Unknown owner - C:\WINDOWS\system32\opwlyp\wovsykus.exe

Pilotman52
  • 0

#4
Excal
Posted 10 June 2005 - 10:33 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Pilotman52 and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of on the desktop. This is required because HijackThis will create backups and we don't want them to be deleted


Download the Host Here
(Do not use either program yet)

Download and install CleanUp! Here
We will use this program later.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Go to Start->Run and type in services.msc and hit OK. Then look for clotoqdwclmy and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Do the same with the following services:

fhgchlxbpebqm
hgrbpjciqaej
oqggvdgmbwycoo
pimilbhqvh
psiynrxptiiq
qjvveusqxbntur
qvmggiqrieap
spistpmbphfvg
wovsykusopwlyp

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [pimilb] C:\WINDOWS\system32\hqvh\pimilb.exe
O4 - HKLM\..\Run: [edfy] C:\WINDOWS\system32\xfwfxy\edfy.exe
O4 - HKLM\..\Run: [fhgchlx] C:\WINDOWS\system32\bpebqm\fhgchlx.exe
O4 - HKLM\..\Run: [qtdobulv] C:\WINDOWS\system32\yvweos\qtdobulv.exe
O4 - HKLM\..\Run: [oqggvd] C:\WINDOWS\system32\gmbwycoo\oqggvd.exe
O4 - HKLM\..\Run: [yrluaher] C:\WINDOWS\system32\hkouum\yrluaher.exe
O4 - HKLM\..\Run: [jmrs] C:\WINDOWS\system32\vnlwel\jmrs.exe
O4 - HKLM\..\Run: [wovsykus] C:\WINDOWS\system32\opwlyp\wovsykus.exe
O4 - HKLM\..\Run: [qvmggiq] C:\WINDOWS\system32\rieap\qvmggiq.exe
O4 - HKLM\..\Run: [lydofv] C:\WINDOWS\system32\kkdi\lydofv.exe
O4 - HKLM\..\Run: [Windows Hosts File] WindowsHosts.exe
O4 - HKLM\..\Run: [2s4S35l] rmokman.exe
O4 - HKLM\..\Run: [oudxijxc] C:\WINDOWS\system32\veagsx\oudxijxc.exe
O4 - HKLM\..\Run: [m61rce7o] C:\Program Files\m61rce7o\m61rce7o.exe
O4 - HKLM\..\Run: [fedwbesv] C:\WINDOWS\system32\glmy\fedwbesv.exe
O4 - HKLM\..\Run: [clotoqdw] C:\WINDOWS\system32\clmy\clotoqdw.exe
O4 - HKLM\..\Run: [dkxqvc] C:\WINDOWS\system32\ikmb\dkxqvc.exe
O4 - HKLM\..\Run: [hgrb] C:\WINDOWS\system32\pjciqaej\hgrb.exe
O4 - HKLM\..\Run: [catrnbh] C:\WINDOWS\system32\ckyes\catrnbh.exe
O4 - HKLM\..\Run: [fdfcv] C:\WINDOWS\system32\jhxn\fdfcv.exe
O4 - HKLM\..\Run: [ywuq] C:\WINDOWS\system32\fpspvupu\ywuq.exe
O4 - HKLM\..\Run: [mftqfp] C:\WINDOWS\system32\nruha\mftqfp.exe
O4 - HKLM\..\Run: [ipjkm] C:\WINDOWS\system32\argx\ipjkm.exe
O4 - HKLM\..\Run: [qjvveusq] C:\WINDOWS\system32\xbntur\qjvveusq.exe
O4 - HKLM\..\Run: [SkyH2] C:\WINDOWS\TEMP\aqcap.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\blxqhqsu.exe
O4 - HKLM\..\Run: [psiy] C:\WINDOWS\system32\nrxptiiq\psiy.exe
O4 - HKLM\..\Run: [spistpm] C:\WINDOWS\system32\bphfvg\spistpm.exe
O4 - HKLM\..\Run: [ppbnonm] c:\windows\system32\oeigbz.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [Xgqzfl] C:\WINDOWS\system32\m?config.exe
O4 - HKCU\..\Run: [JBv2RRJFW] remwselc.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia...ll/pcs_0002.exe
O23 - Service: clotoqdwclmy - Unknown owner - C:\WINDOWS\system32\clmy\clotoqdw.exe
O23 - Service: fhgchlxbpebqm - Unknown owner - C:\WINDOWS\system32\bpebqm\fhgchlx.exe
O23 - Service: hgrbpjciqaej - Unknown owner - C:\WINDOWS\system32\pjciqaej\hgrb.exe
O23 - Service: oqggvdgmbwycoo - Unknown owner - C:\WINDOWS\system32\gmbwycoo\oqggvd.exe
O23 - Service: pimilbhqvh - Unknown owner - C:\WINDOWS\system32\hqvh\pimilb.exe
O23 - Service: psiynrxptiiq - Unknown owner - C:\WINDOWS\system32\nrxptiiq\psiy.exe
O23 - Service: qjvveusqxbntur - Unknown owner - C:\WINDOWS\system32\xbntur\qjvveusq.exe
O23 - Service: qvmggiqrieap - Unknown owner - C:\WINDOWS\system32\rieap\qvmggiq.exe
O23 - Service: spistpmbphfvg - Unknown owner - C:\WINDOWS\system32\bphfvg\spistpm.exe
O23 - Service: wovsykusopwlyp - Unknown owner - C:\WINDOWS\system32\opwlyp\wovsykus.exe

Optional
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe <------ViewMgr.exe is an advertising program by Viewpoint. This process monitors your browsing habits and distributes the data back to the author's.
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) <-----WeatherBug – This program is considered adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes or deletions listed below.

7. click the Fix Checked box

8. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

9. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Viewpoint Manager <-----Optional See above
WeatherBug <-----Optional See above

10. Please remove the following folders using Windows Explorer (if present):

Be sure to NOT delete the System 32 Folder. ONLY delete these folders WITHIN the Sys 32 folder

C:\WINDOWS\system32\xbntur
C:\WINDOWS\system32\pjciqaej
C:\WINDOWS\system32\bphfvg
C:\WINDOWS\system32\ckyes
C:\WINDOWS\system32\fpspvupu
C:\Program Files\m61rce7o
C:\WINDOWS\system32\ikmb
C:\WINDOWS\system32\jhxn
C:\WINDOWS\system32\argx
C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\vidctrl
C:\WINDOWS\system32\hqvh
C:\WINDOWS\system32\xfwfxy
C:\WINDOWS\system32\bpebqm
C:\WINDOWS\system32\yvweos
C:\WINDOWS\system32\gmbwycoo
C:\WINDOWS\system32\hkouum
C:\WINDOWS\system32\vnlwel
C:\WINDOWS\system32\opwlyp
C:\WINDOWS\system32\rieap
C:\WINDOWS\system32\kkdi
C:\WINDOWS\system32\veagsx
C:\WINDOWS\system32\glmy
C:\WINDOWS\system32\clmy
C:\WINDOWS\system32\ikmb
C:\WINDOWS\system32\pjciqaej
C:\WINDOWS\system32\ckyes
C:\WINDOWS\system32\jhxn
C:\WINDOWS\system32\fpspvupu
C:\WINDOWS\system32\nruha
C:\WINDOWS\system32\argx
C:\WINDOWS\system32\xbntur
C:\WINDOWS\system32\nrxptiiq
C:\WINDOWS\system32\bphfvg
C:\WINDOWS\system32\vidctrl
C:\Program Files\Viewpoint <-----Optional See above
C:\Program Files\AWS <-----Optional See above


11. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\m?config.exe <-----Ensure its this file and only this file
c:\windows\system32\oeigbz.exe
C:\WINDOWS\system32\blxqhqsu.exe
c:\windows\system32\oeigbz.exe
remwselc.exe <------ Start>search for this one
rmokman.exe <------ Start>search for this one

12. Open up the Host program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
13. Run the program CleanUp! Reboot in normal mode.

14. Run this online virus scan: ActiveScan - Save the results from the scan!

15. Reboot in normal mode and Please post an Active scan log and a fresh HiJackThis log to verify all is good. Ensure you rehide your “hidden files and folders” back to the way they were.

Edited by Excalibur190, 10 June 2005 - 11:05 PM.

  • 0

#5
Pilotman52
Posted 12 June 2005 - 04:25 PM

Pilotman52

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here's my ActiveScan Log:


Incident Status Location

Adware:Adware/Aurora No disinfected c:\windows\system32\yqfcwtp.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/DelFinMedia No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\DealHelper
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/SideStep No disinfected C:\Documents and Settings\Patricio\Start Menu\Programs\SideStep
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/BroadcastPC No disinfected C:\Program Files\BPT
Adware:Adware/ESyndicate No disinfected Windows Registry
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free LapTop Computer.ico
Adware:Adware/SearchTheWeb No disinfected Windows Registry
Adware:Adware/ValueAd No disinfected C:\WINDOWS\system32\F?nts
Adware:Adware/Aurora No disinfected C:\WINDOWS\nail.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\LocalService\Application Data\osoa.exe
Adware:Adware/SideStep No disinfected C:\Documents and Settings\Patricio\Desktop\SideStep.lnk
Adware:Adware/SideStep No disinfected C:\Documents and Settings\Patricio\Start Menu\SideStep.lnk
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Common Files\Java\bpcv2_inst.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\125E71FF-E137-402E-992B-031872\5DC34ED2-7BE9-4F26-8806-3A0B16
Adware:Adware/Transponder No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\84D77CBB-D2A9-4B9C-B878-C54A84\07F9D2D2-D6FB-4925-8510-AFCD70
Adware:Adware/Transponder No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\84D77CBB-D2A9-4B9C-B878-C54A84\4A212510-204C-48C9-9789-BE540F
Adware:Adware/Transponder No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\84D77CBB-D2A9-4B9C-B878-C54A84\81252500-6633-4ADB-B16C-67563E
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\0A9788B8-413F-4DFB-B4EC-63C4B0
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\0FAECE02-C0FB-40CA-9DA5-C42EB0
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\1210524A-A705-4798-9886-DA0661
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\1A68F87A-3401-4D4A-A183-16B9FF
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\258DB767-B19C-4B6F-914E-C269F3
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\51854DFB-5731-4817-927C-951841
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\55D6882E-D4F4-4BEE-AFB8-7AC480
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\5AF470DD-DE9F-4BF6-BEF0-E0E09C
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\610E4523-9F2F-4547-8C5C-A9CBD9
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\63B8F763-CBE4-4025-927B-BEC2DE
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\65D556FA-4A1C-4E2D-BEEA-FB8DF6
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\73A0E14C-E74A-44B2-B950-D01D37
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\766384D6-0F1B-443B-B053-065B7B
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\80C74A0D-5F95-4AD5-8408-C50371
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\9FC66C8D-BA58-4BB0-B8B6-A592CB
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\AD8ED410-210D-47FC-971F-862BB5
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\AF697B4A-0E8A-49AC-9648-536E71
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\BFBC73A3-7886-43A2-A996-25A9BE
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\C036B02C-6D05-496B-851C-40C137
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\C4536194-B444-4BA5-910D-20C6E0
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\C4D42BFB-5D72-4083-85FD-D8802F
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\C609F819-5A8E-4384-A1F7-CBD119
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\CA3D408C-1980-4975-A385-612D98
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\CBE8AA3D-660E-4601-A4F1-5A9083
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\CFAE509F-D864-438F-B798-8B0281
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\D10BA9A2-A8F2-4E86-B28D-243FF8
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\D1586FD2-5564-4D50-B882-B478F4
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\DDF8C0BC-5A9A-4808-8A46-BE51D8
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\E55479B2-F708-45F1-ACE8-5B00AD
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\E8E673FA-A007-4213-B868-862529
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\EB18E19A-4C72-436F-9C67-BD29FC
Adware:Adware/Aurora No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8B8A8709-A84D-4B25-B403-D5A7EF\FCFFA950-6C37-4CA0-8679-BABFC1
Adware:Adware/Transponder No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B1184FA1-A455-4596-9A40-10D807\46AB3945-E6FE-4B1A-A96E-594951
Adware:Adware/Transponder No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B1184FA1-A455-4596-9A40-10D807\6CAE74E1-D24E-4430-B6AD-6C21B3
Adware:Adware/Transponder No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B1184FA1-A455-4596-9A40-10D807\A58FFB82-A13C-4E01-A519-BCAA05
Adware:Adware/Transponder No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B1184FA1-A455-4596-9A40-10D807\B819BDC0-A2B7-4055-8239-596A9D
Adware:Adware/Transponder No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B1184FA1-A455-4596-9A40-10D807\C4374FD1-857F-4D45-8161-A66E77
Adware:Adware/DealHelper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D38C88D5-39F4-42D8-9772-C04B29\43B7AE08-B7CC-4D77-8A3A-66BC3D
Adware:Adware/DealHelper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D38C88D5-39F4-42D8-9772-C04B29\459F2038-6544-481F-93FD-9988F8
Adware:Adware/DealHelper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D38C88D5-39F4-42D8-9772-C04B29\BD574608-81B8-4DC4-A109-EAA096
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\icont.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\sskb5.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\70tovmto.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\abasa5jrp.ini
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM32\Cache\EDow_AS2.exe
Virus:Trj/Multidropper.UO Disinfected C:\WINDOWS\SYSTEM32\Cache\Kyongju.exe
Virus:Trj/Small.GZ Disinfected C:\WINDOWS\SYSTEM32\Cache\omi.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\Cache\pop.exe
Virus:Trj/CPR.A Disinfected C:\WINDOWS\SYSTEM32\Cache\setup.exe
Virus:Trj/Downloader.BJF Disinfected C:\WINDOWS\SYSTEM32\Cache\skh2.exe
Adware:Adware/ILookup No disinfected C:\WINDOWS\SYSTEM32\Cache\trgen_fran-162813.exe
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\SYSTEM32\docore.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\SYSTEM32\dosync.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM32\DrPMon.dll
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\egrpikv.exe
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM32\Free LapTop Computer.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM32\Free Picture iPod.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM32\Free Sony Playstation.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM32\Free U2 iPod.ico
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\goldnew2b.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\hochkaod3.ini
Adware:Adware/BroadcastPC No disinfected C:\WINDOWS\SYSTEM32\jhqjlrv.exe
Virus:Trj/Downloader.BVH Disinfected C:\WINDOWS\SYSTEM32\orehde.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM32\Poller.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\rqojfecu.exe
Virus:Trj/Downloader.AZI Disinfected C:\WINDOWS\SYSTEM32\SSK_B5 Verticlick 5.EXE
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\t2_667279.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\u6f6uftuc.ini
Adware:Adware/BroadcastPC No disinfected C:\WINDOWS\SYSTEM32\umbr.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM32\Uninstaller.exe
Virus:Trj/Dropper.DA Disinfected C:\WINDOWS\SYSTEM32\ventura5.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:Adware/Aurora No disinfected C:\WINDOWS\SYSTEM32\yqfcwtp.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\vumvfp.exe


Here's my Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:28:09 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\windows\system32\yqfcwtp.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\Patricio\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [m61rce7o] C:\Program Files\m61rce7o\m61rce7o.exe
O4 - HKLM\..\Run: [crfpbkv] c:\windows\system32\yqfcwtp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks again!
  • 0

#6
Excal
Posted 12 June 2005 - 05:50 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Pilotman52,

Looks like we a few more things to clean up.

Sometime antivirus or antispyware products interfere with the fixing of problems, with that in mind can you please disable those products during this fix. Make sure you reenable them when your are done.

You may want to clean out the quartineed items in the Microsoft Spyware.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Close all browsers, windows and unneeded programs.

4. Open HiJack and do a scan.

5. Put a Check next to the following items:

O4 - HKLM\..\Run: [m61rce7o] C:\Program Files\m61rce7o\m61rce7o.exe
O4 - HKLM\..\Run: [crfpbkv] c:\windows\system32\yqfcwtp.exe

6. click the Fix Checked box

7. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

8. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\m61rce7o

9. Please run Killbox.
  • Select "Delete on Reboot".
  • Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    c:\windows\system32\yqfcwtp.exe
    C:\WINDOWS\system32\winupdt.008
    C:\WINDOWS\system32\DealHelper
    C:\WINDOWS\deskbar.ini
    C:\Documents and Settings\Patricio\Start Menu\Programs\SideStep
    C:\Program Files\BPT
    C:\WINDOWS\system32\Free LapTop Computer.ico
    C:\WINDOWS\system32\F?nts
    C:\WINDOWS\nail.exe
    C:\Documents and Settings\LocalService\Application Data\osoa.exe
    C:\Documents and Settings\Patricio\Desktop\SideStep.lnk
    C:\Documents and Settings\Patricio\Start Menu\SideStep.lnk
    C:\Program Files\Common Files\Java\bpcv2_inst.exe
    C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
    C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
    C:\WINDOWS\icont.exe
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\sskb5.exe
    C:\WINDOWS\svcproc.exe
    C:\WINDOWS\SYSTEM\QBUninstaller.exe
    C:\WINDOWS\SYSTEM\UpdInst.exe
    C:\WINDOWS\SYSTEM32\70tovmto.ini
    C:\WINDOWS\SYSTEM32\abasa5jrp.ini
    C:\WINDOWS\SYSTEM32\Cache\EDow_AS2.exe
    C:\WINDOWS\SYSTEM32\Cache\Kyongju.exe
    C:\WINDOWS\SYSTEM32\Cache\omi.exe
    C:\WINDOWS\SYSTEM32\Cache\pop.exe
    C:\WINDOWS\SYSTEM32\Cache\setup.exe
    C:\WINDOWS\SYSTEM32\Cache\skh2.exe
    C:\WINDOWS\SYSTEM32\Cache\trgen_fran-162813.exe
    C:\WINDOWS\SYSTEM32\docore.dll
    C:\WINDOWS\SYSTEM32\dosync.dll
    C:\WINDOWS\SYSTEM32\DrPMon.dll
    C:\WINDOWS\SYSTEM32\egrpikv.exe
    C:\WINDOWS\SYSTEM32\Free LapTop Computer.ico
    C:\WINDOWS\SYSTEM32\Free Picture iPod.ico
    C:\WINDOWS\SYSTEM32\Free Sony Playstation.ico
    C:\WINDOWS\SYSTEM32\Free U2 iPod.ico
    C:\WINDOWS\SYSTEM32\goldnew2b.dll
    C:\WINDOWS\SYSTEM32\hochkaod3.ini
    C:\WINDOWS\SYSTEM32\jhqjlrv.exe
    C:\WINDOWS\SYSTEM32\orehde.exe
    C:\WINDOWS\SYSTEM32\Poller.exe
    C:\WINDOWS\SYSTEM32\rqojfecu.exe
    C:\WINDOWS\SYSTEM32\SSK_B5 Verticlick 5.EXE
    C:\WINDOWS\SYSTEM32\t2_667279.exe
    C:\WINDOWS\SYSTEM32\u6f6uftuc.ini
    C:\WINDOWS\SYSTEM32\umbr.exe
    C:\WINDOWS\SYSTEM32\Uninstaller.exe
    C:\WINDOWS\SYSTEM32\ventura5.exe
    C:\WINDOWS\SYSTEM32\winupdt.008
    C:\WINDOWS\SYSTEM32\yqfcwtp.exe
    C:\WINDOWS\vumvfp.exe
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
10. reboot in normal mode and Run this online virus scan: ActiveScan - Save the results from the scan!

11. Please post an Active scan log and a fresh HiJackThis log to verify all is good. Ensure you rehide your “hidden files and folders” back to the way they were.

Edited by Excalibur190, 12 June 2005 - 05:51 PM.

  • 0

#7
Pilotman52
Posted 12 June 2005 - 09:46 PM

Pilotman52

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here's my active scan:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SideStep No disinfected C:\Documents and Settings\Patricio\Start Menu\Programs\SideStep
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/ValueAd No disinfected C:\WINDOWS\system32\F?nts
Adware:Adware/eZula No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\125E71FF-E137-402E-992B-031872\5DC34ED2-7BE9-4F26-8806-3A0B16
Adware:Adware/Aurora No disinfected C:\WINDOWS\SYSTEM32\lpvwnh.exe


Here's my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:00 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Patricio\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks again!
  • 0

#8
Excal
Posted 12 June 2005 - 10:09 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
hi Pilotman52,

And then there was three ;)


1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Please remove the following folders using Windows Explorer (if present):

C:\Documents and Settings\Patricio\Start Menu\Programs\SideStep
C:\WINDOWS\system32\F?nts <------make sure its this exact folder and nothing else
C:\Program Files\Microsoft <------make sure its this exact folder and nothing else


5. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\SYSTEM32\lpvwnh.exe


Let me know how your system is working


Thanks,

:tazz:

Excal
  • 0

#9
Pilotman52
Posted 13 June 2005 - 05:39 PM

Pilotman52

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey there Excal, third time's the charm...???

I think everything is more or less under control!

I couldn't find C:\WINDOWS\system32\F?nts or C:\Program Files\Microsoft (not sure if they're supposed to be there or not). Other than that, I've only gotten one or two pop ups today and no Aurora pop ups.

Once again, thanks for your help.

Pilotman52
  • 0

#10
Excal
Posted 13 June 2005 - 05:46 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Pilotman52,

What were the name of the popups? were they because u went to a web site, or were they just randomly showing up?

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
For some time it will look like nothing is happening. Just keep waiting.
Once it's done it will create a log. A window will come up telling you when it's saved.
  • 0

Advertisements

#11
Pilotman52
Posted 14 June 2005 - 04:49 PM

Pilotman52

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Excal,

Those popups were called "Auroa," but they seem to have stopped. Thank God! The rest of the pop ups have practically disappeared too.

Here is the Silent Runner log for you:



"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"eroud.exe" = "C:\WINDOWS\system\eroud.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]
"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"vptray" = "C:\PROGRA~1\SYMANT~2\VPTray.exe" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"PCMService" = ""C:\Program Files\Dell\Media Experience\PCMService.exe"" ["CyberLink Corp."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"Dell AIO Printer A920" = ""C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"" ["Dell Computer Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"StarUpdater" = (empty string)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "6 Months of AOL Included"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\STARSA~1.SCR" (StarSaver.scr) [empty string]


Startup items in "Patricio" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\Patricio\Start Menu\Programs\Startup
"StarUpdater.exe" -> shortcut to: "C:\Program Files\Star Alliance Timetable\StarUpdater.exe StarUpdater.exe" ["GoldenWare Travel Technologies"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"SpySubtract" -> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\ = "SideStep" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\SbCIe028.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\ = "SideStep" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\SbCIe028.dll" [file not found]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe" ["America Online, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe" [null data]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Thanks
  • 0

#12
Excal
Posted 14 June 2005 - 05:53 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Pilotman52,


I am really glad to hear those popups stopped, they can be a real pain in the butt!

Everything I can see looks good.

Did you unistall C:\Program Files\Star Alliance Timetable\StarUpdater.exe?

I noticed some empty registry entries on it.

I think it would serve you well to clean your registry!

*Please dowload: RegSeeker.
*Click on "Clean The Registry" in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
*Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!


Lets just double check with a few more online scans.

Please run a free online virus scan at these two sites:
HouseCall
Kaspersky

Can you please post the results of these 2 scans.


Thanks,

:tazz:

Excal
  • 0

#13
Pilotman52
Posted 15 June 2005 - 12:58 PM

Pilotman52

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Excal,

I ran both those programs and deleted a bunch of infected files. The results for the Kaspersky scan is as follows:




-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, June 15, 2005 14:51:16
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/06/2005
Kaspersky Anti-Virus database records: 126436
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Patricio\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 19567
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 955 sec

Infected Object Name - Virus Name
C:\WINDOWS\SYSTEM32\Busan.exe/data0002 Infected: Trojan-PSW.Win32.Agent.h
C:\WINDOWS\SYSTEM32\Busan.exe Infected: Trojan-PSW.Win32.Agent.h
C:\WINDOWS\SYSTEM32\midad.dll Infected: Trojan-Downloader.Win32.Miewer.a
C:\WINDOWS\SYSTEM32\sskden2.dll Infected: Trojan-Dropper.Win32.Miewer.f
C:\WINDOWS\SYSTEM32\tvnew.dll Infected: Trojan-Downloader.Win32.Miewer.a

Scan process completed.


I guess it found more stuff...

PS: The CPU is working great!
  • 0

#14
Excal
Posted 15 June 2005 - 01:42 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Pilotman52,

PS: The CPU is working great!


I never get tired of hearing that!!

Just delete these files and you should be all set :tazz:

please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\Busan.exe/data0002
C:\WINDOWS\SYSTEM32\Busan.exe
C:\WINDOWS\SYSTEM32\midad.dll
C:\WINDOWS\SYSTEM32\sskden2.dll
C:\WINDOWS\SYSTEM32\tvnew.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the system reboot.


Let me know if your were successfull ;)
  • 0

#15
Pilotman52
Posted 15 June 2005 - 02:05 PM

Pilotman52

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Excal,

I think we're all set! I deleted those files and things are working great. Thanks for all your help. I'm going to make sure and donate for your and everyone's hard work.

Thanks again!

Pilotman52
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP