Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

What did I do? Trying to get last viruses off


  • Please log in to reply

#1
marcusniehaus

marcusniehaus

    Member

  • Member
  • PipPip
  • 13 posts
I think I got the major viruses off. But I think I did something dumb. Comp was still running slow so I changed something to "Normal Startup" in Systems Configuration Utility and now this shows up:

Error loading C:\WINDOWS\cfgmgr52.dll

The Specified module could not be found.

I can't get rid of it. I also enabled all my Services and Start-up and did another HiJack file. I know there's something else there. If anyone could help, that'd be cool. Well, thanks.

Take care,
Marcus



Logfile of HijackThis v1.99.1
Scan saved at 2:41:39 PM, on 6/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\marcusniehaus\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SpyBlocs3.0] C:\PROGRA~1\SPYBLO~1.0\SpyBlocs3.0.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [qsrR37Q] wmsntbbu.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [olkx] C:\WINDOWS\olkx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [iowsazi] c:\windows\system32\baypvyv.exe
O4 - HKLM\..\Run: [givifc] C:\WINDOWS\System32\givifc.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezyv32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 - HKCU\..\Run: [bB05RXcFR] wiaonce.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by marcusniehaus, 17 June 2005 - 03:43 PM.

  • 0

Advertisements


#2
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
I apologize for the delay getting to your log, the helpers here are very busy. If you are still having malware troubles, I will be glad to help. Due to the length of time passed, I need to see a new HijackThis Log.

Please post a new HJT log in this thread.
  • 0

#3
marcusniehaus

marcusniehaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hey there, thanks! I kinda did some myself, I did a google search on each entry, found a forum that had the same entry and see if another person recommended a "fix checked." I don't know if that was dumb.
I think it's getting clean, but my computer is still really slow, escpecially downloading and now I get this when I turn on my computer:

Error loading C:\WINDOWS\cfgmgr52.dll

The Specified module could not be found.

Well, anyway, is there anything suspicious here? Or anything I don't need?
Thanks again,
Marcus


Logfile of HijackThis v1.99.1
Scan saved at 10:46:51 AM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\marcusniehaus\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [qsrR37Q] wmsntbbu.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [olkx] C:\WINDOWS\olkx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iowsazi] c:\windows\system32\baypvyv.exe
O4 - HKLM\..\Run: [givifc] C:\WINDOWS\System32\givifc.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezyv32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKCU\..\Run: [bB05RXcFR] wiaonce.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
  • 0

#4
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
marcusniehaus, to be honest, this log is confusing me. It appears as though you've fixed the wrong things in HijackThis (have you been tinkering before?). For example, you're registry is set to start two anti-virus programs (which is not recommended), yet neither are running. Have you uninstalled AVG and McAfee?

I thought as first this was because the log was taken from Safe Mode, but the services entries that go with those programs are missing as well. Let's see if we can fix this the easy way. There are processes running that wouldn't run in Safe Mode as well.

Launch HijackThis >> Config >> Backups. Please restore everything you've fixed recently by selecting the item and clicking 'Restore'. Reboot and post a fresh log, then we can get to fixing it :tazz:.

If I'm off-base, let me know and we can take it from there.
  • 0

#5
marcusniehaus

marcusniehaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hey, yah I was messing with it, probably shouldn't have. Just trying to get as much stuff as I could off. I guess I don't really like AVG or McAfee so I was trying to get rid of those too. Anyways, I restored everything and posted again. Thanks!!!
Marcus

Logfile of HijackThis v1.99.1
Scan saved at 7:01:46 AM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\marcusniehaus\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [qsrR37Q] wmsntbbu.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [olkx] C:\WINDOWS\olkx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iowsazi] c:\windows\system32\baypvyv.exe
O4 - HKLM\..\Run: [givifc] C:\WINDOWS\System32\givifc.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezyv32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SpyBlocs3.0] C:\PROGRA~1\SPYBLO~1.0\SpyBlocs3.0.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [bB05RXcFR] wiaonce.exe
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
  • 0

#6
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
marcusniehaus, your current lack of anti-virus protection is of great concern. I agree with you about McAfee, but AVG is a highly recommended solution. I urge you to re-install AVG first off, and when we get you clean I will suggest other alternatives. Also, your log doesn't show a firewall running, I suggest downloading and installing Zonealarm from the link in my signature.

Now, let's get to work :tazz:. You don't have a virus, you have multiple viruses/trojans, as well as some garden-variety adware.

Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.majorgeek...ownload506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.

Next, please run this free online virus scan: Panda Active Scan Save the log it generates to post in your next reply.

Run this free online trojan scan. Let it remove any infections it finds.

I'd like to see an uninstall list from HijackThis.

Launch HJT and select 'Config' >> 'Misc Tools' >> 'Open Uninstall Manager'. Select 'Save List' and a Notepad window will open. Copy the entire contents of that file and post it here in your next reply.

Reboot and post a fresh HJT log, the logfile from Panda Activescan, and the Uninstall List.
  • 0

#7
marcusniehaus

marcusniehaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hey, thanks for all the help, I did everything you recommended. Except that Free online Trojan scan - After I ran it it found 10 things. Then it asked me to download A squared. I did, then it asked me to create an account first. But I couldn't for the life of me figure out how to do it. It just kept opening up my documents window or something. Anyways, here's the rest of what you asked for. Thanks again. How can I get a firewall again, I don't know what happened
Marcus


Logfile of HijackThis v1.99.1
Scan saved at 2:32:11 PM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\marcusniehaus\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [qsrR37Q] wmsntbbu.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [olkx] C:\WINDOWS\olkx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iowsazi] c:\windows\system32\baypvyv.exe
O4 - HKLM\..\Run: [givifc] C:\WINDOWS\System32\givifc.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezyv32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SpyBlocs3.0] C:\PROGRA~1\SPYBLO~1.0\SpyBlocs3.0.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [bB05RXcFR] wiaonce.exe
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe





PANDA


Incident Status Location

Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\marcusniehaus\Start Menu\Programs\Startup\AdDestroyer.lnk
Adware:Adware/Aureate-Radiate No disinfected C:\WINDOWS\System32\advert.dll
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\saie_*.dat
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\WinTools
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\marcusniehaus\Start Menu\Programs\Startup\AdDestroyer.lnk
Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\All Users\Application Data\VBouncer
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Bundles
Adware:Adware/AdLogix No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/EliteBar No disinfected Windows Registry
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\marcusniehaus\Favorites\1111\1111.url
Adware:Adware/BigTrafficNet No disinfected Windows Registry
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\marcusniehaus\Application Data\tvmknwrd.dll
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\marcusniehaus\Favorites\1111\1111.url
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\marcusniehaus\Start Menu\Programs\Startup\AdDestroyer.lnk
Adware:Adware/Thecoolbar No disinfected C:\Program Files\FwBarTemp\cohelper.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\gaibnvi.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/Aureate-Radiate No disinfected C:\WINDOWS\SYSTEM32\advert.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\SYSTEM32\bs51-eginwl51-vb.exe
Adware:Adware/Beginto No disinfected C:\WINDOWS\SYSTEM32\btnetw-ventura-hot_246765.exe
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\SYSTEM32\dist001.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\saieau.dat
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\saie_kyf.dat
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM32\winupdt.bin


UNINSTALL LIST
2Wire Gateway
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0
ArcSoft PhotoImpression
Avid Log Exchange
Avid Xpress Pro
BCM V.92 56K Modem
Britannica Ready Reference
CCleaner (remove only)
Cool Edit Pro
Cool Edit Pro Pre-install
CuteFTP
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DVDSentry
Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
Easy CD Creator 5 Basic
EDL Manager
EPSON Copy Utility
EPSON Photo Print
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
EPSON User's Guide
ewido security suite
FilmScribe
Final Draft 4.0
Final Draft 5
HijackThis 1.99.1
Hypersonic
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
Internet Explorer Q828750
Java 2 Runtime Environment Standard Edition v1.3.0_02
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Office 2000 SR-1 Premium
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Modem Helper
Moog Modular V 1.1
MUSICMATCH® Jukebox
MyDVD
Native Instruments Absynth 2
NVIDIA Windows 2000/XP Display Drivers
Outlook Express Update Q330994
Paint Shop Pro 7
Pentagon I 1.3
PlasmaWipes Effects
Pocket RAR documentation
PowerDVD
Quicken 2002 New User Edition
QuickTime
RealPlayer Basic
Rgc Audio z3ta+ VSTi DXi
SBC Yahoo! DSL
Sentinel System Driver 5.41.0 (32-bit)
Shockwave
Sound Blaster Live!
SpyBlocs v3.0
Steinberg Cubase SX v2.01
Steinberg Groove Agent
WildTangent Web Driver
Winamp (remove only)
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824146
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) q329623
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
WinRAR archiver
WinZip
WordPerfect Office 2002
WordPerfect Office 2002
Yahoo! Photos Easy Upload Tool 1v3
YAMAHA VST Plugin Vocal Rack Trial
  • 0

#8
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Ok, let's just see how much of this we can kill manually :tazz:. You can download a free firewall from the the three listed in my signature below. I still don't see any signs of anti-virus in your log, this leaves you wide open to further infection. I recommend re-installing AVG immediately.

Rescan with HijackThis and place a checkmark next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [qsrR37Q] wmsntbbu.exe
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [olkx] C:\WINDOWS\olkx.exe
O4 - HKLM\..\Run: [iowsazi] c:\windows\system32\baypvyv.exe
O4 - HKLM\..\Run: [givifc] C:\WINDOWS\System32\givifc.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezyv32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKCU\..\Run: [bB05RXcFR] wiaonce.exe
O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe


You're running SpyBlocs3.0, which is on the Rogue/Suspect Anti-Spyware Products list. I suggest you remove it. Here's the entry to fix with HJT, and you will need to remove the main program as well.

O4 - HKLM\..\Run: [SpyBlocs3.0] C:\PROGRA~1\SPYBLO~1.0\SpyBlocs3.0.exe


You're also running WildTangent, which is believe to collect data about your surfing habits and send it back to its controlling server. Here's the item to fix in HJT, and you will need to remove the main program on this one too:

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain



Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.


Please remove these entries from Add/Remove Programs in the Control Panel(if present):

SpyBlocs v3.0
WildTangent Web Driver
*if you chose to fix them with HijackThis

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Common Files\WinTools
C:\Documents and Settings\marcusniehaus\Favorites\1111\
C:\Program Files\FwBarTemp\
C:\PROGRAM FILES\Toolbar\
C:\Program Files\ErrorGuard\
C:\PROGRAM FILES\VBouncer\
C:\Program Files\WeirdOnTheWeb\
C:\Program Files\AdDestroyer\


Please delete these files using Windows Explorer(if present):

wmsntbbu.exe (you will need to do a search for this one)
C:\WINDOWS\System32\ps1.exe
C:\WINDOWS\olkx.exe
c:\windows\system32\baypvyv.exe
C:\WINDOWS\System32\givifc.exe
C:\windows\system32\elitezyv32.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\winupdtl.exe
c:\windows\system32\saie.exe
wiaonce.exe (search for this one as well)
C:\WINDOWS\System32\i11r54n4.exe
C:\Documents and Settings\marcusniehaus\Start Menu\Programs\Startup\AdDestroyer.lnk
C:\WINDOWS\System32\advert.dll
C:\WINDOWS\System32\saie_*.dat
C:\WINDOWS\bundles
C:\WINDOWS\bsx32
C:\Program Files\cxtpls
C:\Program Files\Common Files\WinTools
C:\Documents and Settings\marcusniehaus\Start Menu\Programs\Startup\AdDestroyer.lnk
C:\Documents and Settings\All Users\Application Data\VBouncer
C:\Documents and Settings\marcusniehaus\Application Data\tvmknwrd.dll
C:\WINDOWS\gaibnvi.exe
C:\WINDOWS\SYSTEM\QBUninstaller.exe
C:\WINDOWS\SYSTEM32\advert.dll
C:\WINDOWS\SYSTEM32\bs51-eginwl51-vb.exe
C:\WINDOWS\SYSTEM32\btnetw-ventura-hot_246765.exe
C:\WINDOWS\SYSTEM32\dist001.exe
C:\WINDOWS\SYSTEM32\saieau.dat
C:\WINDOWS\SYSTEM32\saie_kyf.dat
C:\WINDOWS\SYSTEM32\winupdt.bin


Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.


Reboot and post a new HJT log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP