[miekiemoes]

As it says... the scan will take a while, disregard the parameter message.
Most probably you see this in that dosscreen. You'll have to wait untill notepad opens afterwards automatically.

[Advertisements]

zz, can I do anything at all while it is running?

[nick_mi]

zz, can I do anything at all while it is running?

[miekiemoes]

Yes, reading in my signature how to prevent this in the future...

[nick_mi]

Well, I had AVG, and adware. I also had IE. >_<

[nick_mi]

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 06/19/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX!  C:\WINDOWS\System32\CIJTSFIJ.EXE
* UPX!  C:\WINDOWS\System32\QSTCSY.EXE
* UPX! C:\WINDOWS\System\PPOKER~1.EXE
* UPX!  C:\WINDOWS\FYOPVBB.EXE
* UPX!  C:\WINDOWS\GXJECHA.EXE
* UPX!  C:\WINDOWS\OMDLLBB.EXE
* UPX!  C:\WINDOWS\RUTUJOJ.EXE
* UPX!  C:\WINDOWS\SBXGUYD.EXE
* UPX!  C:\WINDOWS\SWBECEB.EXE
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\ULQDUKF.EXE
* UPX!  C:\WINDOWS\UPDEUBR.EXE
* UPX!  C:\WINDOWS\WRDJRLI.EXE
* UPX!  C:\WINDOWS\YBFVJMG.EXE

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent  C:\WINDOWS\System32\DRMVSCTF.EXE
* SAHAgent  C:\WINDOWS\System32\70TOVMTO.INI
* SAHAgent  C:\WINDOWS\System32\BLN02NQV.INI
* SAHAgent  C:\WINDOWS\System32\GAH95ON6.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 009B-503D

Directory of C:\WINDOWS\SYSTEM32

06/12/2005  07:19 PM    <DIR>          cache32_rtneg4
              0 File(s)              0 bytes
              1 Dir(s)  8,636,633,088 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 009B-503D

Directory of C:\WINDOWS\system32

06/08/2005  04:02 PM            3,262 body3333.ico
06/13/2005  03:04 AM            3,262 creditcard32123123123asdsa1.ico
06/07/2005  12:48 AM            4,286 greenmovie2313asaadsasfad112341231adsfa112.ico
06/05/2005  09:00 PM            2,526 ibm laptop312.ico
06/15/2005  10:16 AM            3,262 kill all spyware4512.ico
06/05/2005  09:00 PM            4,286 kill internet popups5.ico
12/07/2001  01:40 PM            22,486 LRNXP.ICO
01/06/2005  01:15 PM            1,406 oi-uninstaller.ico
06/08/2005  04:02 PM            3,262 pinkkas.ico
06/13/2005  03:04 AM            3,262 ps3-2a.ico
06/15/2005  01:43 PM            3,262 ps31.ico
06/15/2005  01:43 PM            2,238 red_kas21.ico
06/12/2005  09:25 PM            2,238 red_kas221.ico
06/12/2005  09:25 PM            3,262 vhe233a1.ico
              14 File(s)        62,300 bytes
              0 Dir(s)  8,636,633,088 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CLASSES_ROOT\trfdsk.amo.1\
HKEY_CLASSES_ROOT\trfdsk.amo.1\CLSID\
HKEY_CLASSES_ROOT\trfdsk.iiittt.1\
HKEY_CLASSES_ROOT\trfdsk.iiittt.1\CLSID\
HKEY_CLASSES_ROOT\trfdsk.momo.1\
HKEY_CLASSES_ROOT\trfdsk.momo.1\CLSID\
HKEY_CLASSES_ROOT\trfdsk.ohb.1\
HKEY_CLASSES_ROOT\trfdsk.ohb.1\CLSID\

[miekiemoes]

See how important that findit's was?

Start killbox.exe
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINDOWS\System32\CIJTSFIJ.EXE
C:\WINDOWS\System32\QSTCSY.EXE
C:\WINDOWS\System\PPOKER~1.EXE
C:\WINDOWS\FYOPVBB.EXE
C:\WINDOWS\GXJECHA.EXE
C:\WINDOWS\OMDLLBB.EXE
C:\WINDOWS\RUTUJOJ.EXE
C:\WINDOWS\SBXGUYD.EXE
C:\WINDOWS\SWBECEB.EXE
C:\WINDOWS\TDTB.EXE
C:\WINDOWS\ULQDUKF.EXE
C:\WINDOWS\UPDEUBR.EXE
C:\WINDOWS\WRDJRLI.EXE
C:\WINDOWS\YBFVJMG.EXE
C:\WINDOWS\System32\DRMVSCTF.EXE
C:\WINDOWS\System32\70TOVMTO.INI
C:\WINDOWS\System32\BLN02NQV.INI
C:\WINDOWS\System32\GAH95ON6.INI
C:\WINDOWS\System32\body3333.ico
C:\WINDOWS\System32\creditcard32123123123asdsa1.ico
C:\WINDOWS\System32\greenmovie2313asaadsasfad112341231adsfa112.ico
C:\WINDOWS\System32\ibm laptop312.ico
C:\WINDOWS\System32\kill all spyware4512.ico
C:\WINDOWS\System32\kill internet popups5.ico
C:\WINDOWS\System32\oi-uninstaller.ico
C:\WINDOWS\System32\pinkkas.ico
C:\WINDOWS\System32\ps3-2a.ico
C:\WINDOWS\System32\ps31.ico
C:\WINDOWS\System32\red_kas21.ico
C:\WINDOWS\System32\red_kas221.ico
C:\WINDOWS\System32\vhe233a1.ico
C:\Program Files\Aprps\cxtpls.dll
C:\Program Files\Aprps\CxtPls.exe

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Click No at the Pending Operations prompt.

Your computer must reboot now.

Open notepad and copy and paste next contents in bold in it:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=-
"WallpaperLocalFileTime"=-

[-HKEY_CLASSES_ROOT\trfdsk.amo.1]

[-HKEY_CLASSES_ROOT\trfdsk.iiittt.1]

[-HKEY_CLASSES_ROOT\trfdsk.momo.1]

[-HKEY_CLASSES_ROOT\trfdsk.ohb.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YwwtRSa8g"=-

Save this as cleanup.reg choose to save as all files and doubleclick on it to merge it to the registry.

Delete the following folder:

C:\Program Files\Aprps

Reboot and post a new findit's log and hijackthislog.

[nick_mi]

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 06/19/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 009B-503D

Directory of C:\WINDOWS\SYSTEM32

06/12/2005  07:19 PM    <DIR>          cache32_rtneg4
              0 File(s)              0 bytes
              1 Dir(s)  8,644,104,192 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 009B-503D

Directory of C:\WINDOWS\system32

12/07/2001  01:40 PM            22,486 LRNXP.ICO
              1 File(s)        22,486 bytes
              0 Dir(s)  8,644,104,192 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

Logfile of HijackThis v1.99.1
Scan saved at 11:28:07 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nick\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,21/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[miekiemoes]

Great!

Just delete next folder and that must be it:

C:\Windows\System32\cache32_rtneg4

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of the leftovers.

To keep this clean in the future, I would suggest the following things:

Most important thing in here.. Install an antivirus and firewall!

AVG, Bitdefender OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!
Zonealarm, Kerio OR Sygate are FREE firewalls.

Understanding and using firewalls:
http://www.bleepingc...showtutorial=60

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Kaspersky online and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap http://windowsupdate.microsoft.com/ to update to SP2.

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!

Edited by miekiemoes, 19 June 2005 - 11:21 PM.

[nick_mi]

Eternal <3

[miekiemoes]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.