[Jayzeee]

Hello, Help!!!

I am running windows XP professional and use norton antivirus. Some software called "adware delete" has installed itself into my programs.

Every time I re-boot this software scans my computer and comes up with an alert message saying "Your machine is infected with spyware"

If I try to unistall it, it seems to run an install wizard, which makes me think it is not fully installed on my machine.

Also My internet home page has changed to http://ie-searchengine.com/ and it will not let me change it. And strangley the ctr-alt-delete command has stopped working.

Here are the results of my hyjackthis scan

Logfile of HijackThis v1.99.1
Scan saved at 13:28:26, on 24/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\wjekyop.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\james\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-searchengine.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
O2 - BHO: (no name) - {e3175614-f331-f31a-53ed-fdd682644311} - C:\WINDOWS\System32\msopengl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [AdwareDelete] C:\Program Files\AdwareDelete\adwaredelete.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mywhjwk] c:\windows\wjekyop.exe
O4 - HKCU\..\Run: [howflqb] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [njowoex] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [kpidcuc] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [iqtovgj] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [phuagia] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [jkxfcqh] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [yesoida] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [gjjyqxd] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [jrexynt] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [svdvbwb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [sxmlupb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [awtqfcu] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [wspwpgi] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [dmxufml] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [kuxgahg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [pmnvqpe] c:\windows\fisqetn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1110277459853
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Please help if you can

Hope to here from you soon.

[Advertisements]

Hi JayZeee and Welcome!

Could you send me a sample of 2 files?

C:\windows\wjekyop.exe
and
C:\WINDOWS\System32\msopengl.dll

Create a folder and place them in it,then right Click it and Select "Send To" then Select Compressed(Zipped)Folder

Email the Zipped Folder here>> [email protected]

Have you had any problems with the Desktop changing??

Run this Scanner and lets see what it picks up

Please Download the MWAV Scanner from Here

Unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update!

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!

When you see "Updates downloaded Successfully"

Please Press Enter to Continue!

It should open automatically>Leave the "Default Settings ticked" and add a "tick" "Drives">this will light up "All Drives">Click "Scan Clean" to begin!

This Scan will take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

Once the Scan has finished,All entries Identified as Infected will displayed in the lower pane!

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it!

Post those results back here!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Post the results from MWAV and a fresh HijackThis log!

[Wizard]

Hi JayZeee and Welcome!

Could you send me a sample of 2 files?

C:\windows\wjekyop.exe
and
C:\WINDOWS\System32\msopengl.dll

Create a folder and place them in it,then right Click it and Select "Send To" then Select Compressed(Zipped)Folder

Email the Zipped Folder here>> [email protected]

Have you had any problems with the Desktop changing??

Run this Scanner and lets see what it picks up

Please Download the MWAV Scanner from Here

Unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update!

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!

When you see "Updates downloaded Successfully"

Please Press Enter to Continue!

It should open automatically>Leave the "Default Settings ticked" and add a "tick" "Drives">this will light up "All Drives">Click "Scan Clean" to begin!

This Scan will take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

Once the Scan has finished,All entries Identified as Infected will displayed in the lower pane!

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it!

Post those results back here!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Post the results from MWAV and a fresh HijackThis log!

[Jayzeee]

Hi Cretemonster,

Thank-you for your very useful and speedy response.

I Have had problems with the desktop changing,
I go hit with trojan-spy.HTML.smitfraud.c I thought it was fixed? I followed intstructions from a different post, and my desktop had returned to normal.

I did the MWAV scan and the results are here:

File C:\WINDOWS\System32\msopengl.dll infected by "Trojan-Downloader.Win32.Small.ayu" Virus. Action Taken: File to be deleted on reboot.
File C:\WINDOWS\System32\lxntdyje.exe tagged as not-a-virus:NetTool.Win32.Calc-DNet.d. No Action Taken.
File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\43FZUOHT\on-line[1].exe infected by "Trojan-Downloader.Win32.Small.amb" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\JV1BZXOW\tr[1].exe infected by "Trojan-Dropper.Win32.Agent.np" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\K3D36YVH\win32[1].exe infected by "Trojan-Downloader.Win32.Small.awa" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\Q59ENE5S\wait[1].html infected by "Trojan-Clicker.Win32.Spywad.b" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\XVF7HLKE\blowjobs[1].htm infected by "Trojan-Clicker.JS.Linker.h" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\ZA4ZJ5CL\count3[1].jar infected by "Trojan.Java.ClassLoader.ai" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\james\My Documents\sample files\msopengl.dll infected by "Trojan-Downloader.Win32.Small.ayu" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\james\My Documents\sample files.zip infected by "Trojan-Downloader.Win32.Small.ayu" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\lxntdyje.exe tagged as not-a-virus:NetTool.Win32.Calc-DNet.d. No Action Taken.




Here is a fresh HyjackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:07:49, on 24/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\wjekyop.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\james\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-searchengine.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [AdwareDelete] C:\Program Files\AdwareDelete\adwaredelete.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mywhjwk] c:\windows\wjekyop.exe
O4 - HKCU\..\Run: [howflqb] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [njowoex] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [kpidcuc] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [iqtovgj] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [phuagia] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [jkxfcqh] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [yesoida] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [gjjyqxd] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [jrexynt] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [svdvbwb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [sxmlupb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [awtqfcu] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [wspwpgi] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [dmxufml] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [kuxgahg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [pmnvqpe] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [omsggod] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [lcpgnsj] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [byqeoxw] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mhxjwyq] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jxicuan] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [stcjwdg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jtleqps] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vqhvgcy] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [wjqhyvd] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [urttbbl] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vjhjnti] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [tfecwfm] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qfvfbkb] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mqwuiue] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qnstkix] c:\windows\cpmdync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1110277459853
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

There was no change after I re-booted.

[Wizard]

OK,I have had a chance to upload and run the File and seems to be a new variant of an older Infection!

Download and Save Spywadfix to your computer from this link:
http://www.thespykil...s/spywadfix.exe

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below.
If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run.

It is not malicious.
It will open an Input box. Paste this line into the box

C:\windows\wjekyop.exe

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your windows default desktop and context menu functions.
It will restart Explorer.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as instructed by your Advisor on the forums.

If hijackthis doesn't start, run it manually.

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-searchengine.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/

O4 - HKLM\..\Run: [AdwareDelete] C:\Program Files\AdwareDelete\adwaredelete.exe /h

O4 - HKCU\..\Run: [mywhjwk] c:\windows\wjekyop.exe
O4 - HKCU\..\Run: [howflqb] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [njowoex] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [kpidcuc] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [iqtovgj] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [phuagia] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [jkxfcqh] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [yesoida] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [gjjyqxd] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [jrexynt] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [svdvbwb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [sxmlupb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [awtqfcu] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [wspwpgi] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [dmxufml] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [kuxgahg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [pmnvqpe] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [omsggod] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [lcpgnsj] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [byqeoxw] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mhxjwyq] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jxicuan] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [stcjwdg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jtleqps] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vqhvgcy] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [wjqhyvd] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [urttbbl] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vjhjnti] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [tfecwfm] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qfvfbkb] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mqwuiue] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qnstkix] c:\windows\cpmdync.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run hijackthis and remove the entries as directed by your Forum Advisor.

You will need to do this step for every user account

Assure that windows is showing hidden files
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Locate and Delete if they still exist

C:\Program Files\AdwareDelete<< Folder

C:\windows\wjekyop.exe<< File

C:\windows\wljvnqv.exe<< File

C:\windows\pvwkrpb.exe<< File

C:\windows\fisqetn.exe<< File

C:\windows\cpmdync.exe<< File

C:\WINDOWS\web\related.htm<< File

When finished, post the contents of Spywad.txt and a new Hijackthis log.

[Jayzeee]

I downloaded spywadfix and pasted the line into the box, It seemed to be working for 5 seconds or so then came up with an error message - Its said something along the lines of "permmissions denied, actions cancelled"

I apologise I should of written down exactly what it said before hitting OK.

I repeated the proccess and an error message then came up with C:\windows\wjekyop.exe does not exist please try another line.

I had a look in the C:Spywad folder to try and find Spywad.txt - it wasn't there. The sub folders Systems and Windows were there!

Please Help!!

[Wizard]

Well Shite!

Post a fresh HijackThis log and we will do this manually!

[Jayzeee]

Here is the HyjackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:05:42, on 25/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\windows\wljvnqv.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\james\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-searchengine.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [AdwareDelete] C:\Program Files\AdwareDelete\adwaredelete.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mywhjwk] c:\windows\wjekyop.exe
O4 - HKCU\..\Run: [howflqb] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [njowoex] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [kpidcuc] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [iqtovgj] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [phuagia] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [jkxfcqh] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [yesoida] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [gjjyqxd] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [jrexynt] c:\windows\wljvnqv.exe
O4 - HKCU\..\Run: [svdvbwb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [sxmlupb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [awtqfcu] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [wspwpgi] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [dmxufml] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [kuxgahg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [pmnvqpe] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [omsggod] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [lcpgnsj] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [byqeoxw] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mhxjwyq] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jxicuan] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [stcjwdg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jtleqps] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vqhvgcy] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [wjqhyvd] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [urttbbl] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vjhjnti] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [tfecwfm] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qfvfbkb] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mqwuiue] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qnstkix] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [cpvxlwp] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [cohjpya] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [plbndru] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [whktxhi] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [khuwcbm] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ehtnocq] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [bmqcjaq] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [nsstolf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [drgbjft] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [xhtodwc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ikdcaxc] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [xsukxwc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [bqmmajh] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [vxyxvxu] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ghrfpyp] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [mbhfoxj] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hdcpmdd] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [scuagub] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [lwemxyt] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ymlbdyk] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [htplooh] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [qmlyrlv] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [iqytrdv] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [rarugbe] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fxklyai] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ymoipgo] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [yyxddrs] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [aeidcbf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hrwhnyq] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [kkruagr] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [nbnmadw] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [gkpyaey] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ujurtbl] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [qprwlgc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [alnldwg] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [stgqrmf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [thbmmct] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [wxmwiii] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fbwvtom] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [jgcmlpb] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [boqpxdd] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [gqfsdys] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [brxrubr] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [fmdaxda] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fceacqa] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [clrxpqd] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hvxoslx] c:\windows\jypxwui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1110277459853
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[Wizard]

Thanks for sticking in there,hopefully we will see much progress by the next post!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net...wnload/updates/

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Right Click the Task Bar near the Clock and Select Task Manager>>Select Processes>>Locate wljvnqv.exe>> Highlight and select "End Process"

Here is a list of files I want you to enter into Killboxes "Full Path of File to Delete"

C:\windows\wljvnqv.exe
c:\windows\wjekyop.exe
c:\windows\pvwkrpb.exe
c:\windows\fisqetn.exe
c:\windows\cpmdync.exe
c:\windows\ljdjydp.exe
c:\windows\dbsqaqe.exe
c:\windows\jypxwui.exe
C:\WINDOWS\System32\msopengl.dll
C:\WINDOWS\System32\lxntdyje.exe
C:\WINDOWS\web\related.htm
C:\Program Files\AdwareDelete

Copy&Paste each into Killbox and place a tick by any of the selections available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Once those are ticked,Click the Red Circle with the White X in the Middle to Delete!!

Keep track of any files Killbox will not delete!

Scan with Ewido>when prompted>Select to clean and place a check by the box to use this action for all infections!

Once it completes,Click the tab to Save the report and Save it to your Desktop for easy access!

If you ran into any files that Killbox wouldnt Delete,Copy&Paste them back into Killbox and select

"Delete on Reboot"

If more than 1 file

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Restart the PC Normal and Post back with a fresh HijackThis log and the results from Ewido!

Edited by Cretemonster, 25 June 2005 - 04:46 PM.

[Jayzeee]

Hello!!

followed your instructions, just a couple of things...

When I opened task manager in safe mode - wljvnqv.exe was not there!?!

Also when I enterd the file names into Killbox, the following files came up with an error message saying "This file does not exist":

c:\windows\wjekyop.exe
c:\windows\pvwkrpb.exe
c:\windows\fisqetn.exe
c:\windows\cpmdync.exe
c:\windows\ljdjydp.exe
c:\windows\dbsqaqe.exe
C:\WINDOWS\System32\msopengl.dll

It deleted all other files except C:\Program Files\AdwareDelete So I did the "delete on reboot" option in Killbox

here are the results from the Ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 02:14:25, 26/06/2005
+ Report-Checksum: E72FA6E3

+ Date of database: 25/06/2005
+ Version of scan engine: v3.0

+ Duration: 41 min
+ Scanned Files: 31239
+ Speed: 12.55 Files/Second
+ Infected files: 56
+ Removed files: 56
+ Files put in quarantine: 56
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\!Submit\jypxwui.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\lxntdyje.exe -> Spyware.Searcher -> Cleaned with backup
C:\!Submit\wljvnqv.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@10723326[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@247realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@bfast[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@dcss3oxau5twkf4oma0cdcas2_2o4b[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@sexlist[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@sextracker[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\ZA4ZJ5CL\down[1].exe -> Trojan.Agent.eo -> Cleaned with backup
C:\Documents and Settings\james\My Documents\sample files\wjekyop.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Systems\Backupqthnoewj -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupcpmdync -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupdbsqaqe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupfisqetn -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupljdjydp -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backuppvwkrpb -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupwjekyop -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupwljvnqv -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\hirywnr.exe -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End


Here is a fresh Hyjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 02:39:25, on 26/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\AdwareDelete\adwaredelete.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AdwareDelete\adwaredelete.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\james\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-searchengine.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [AdwareDelete] C:\Program Files\AdwareDelete\adwaredelete.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [svdvbwb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [sxmlupb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [awtqfcu] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [wspwpgi] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [dmxufml] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [kuxgahg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [pmnvqpe] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [omsggod] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [lcpgnsj] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [byqeoxw] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mhxjwyq] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jxicuan] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [stcjwdg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jtleqps] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vqhvgcy] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [wjqhyvd] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [urttbbl] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vjhjnti] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [tfecwfm] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qfvfbkb] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mqwuiue] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qnstkix] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [cpvxlwp] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [cohjpya] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [plbndru] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [whktxhi] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [khuwcbm] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ehtnocq] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [bmqcjaq] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [nsstolf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [drgbjft] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [xhtodwc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ikdcaxc] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [xsukxwc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [bqmmajh] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [vxyxvxu] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ghrfpyp] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [mbhfoxj] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hdcpmdd] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [scuagub] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [lwemxyt] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ymlbdyk] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [htplooh] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [qmlyrlv] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [iqytrdv] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [rarugbe] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fxklyai] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ymoipgo] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [yyxddrs] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [aeidcbf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hrwhnyq] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [kkruagr] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [nbnmadw] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [gkpyaey] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ujurtbl] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [qprwlgc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [alnldwg] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [stgqrmf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [thbmmct] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [wxmwiii] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fbwvtom] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [jgcmlpb] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [boqpxdd] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [gqfsdys] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [brxrubr] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [fmdaxda] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fceacqa] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [clrxpqd] c:\windows\dbsqaqe.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1110277459853
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


On re-boot still no change...

[Wizard]

Well that just sucks!!!

OK,lets try another approach,first see if you can Zip up AdwareDelete and send it to me as you did the files before then make sure to delete the Zip Folder afterwards!

Please Download F-Secure Blacklight:
http://www.f-secure....light/try.shtml

Once at the page,Click "I Accept" and "Download"

Double Click blbeta.exe to Start it,then Click "I accept the agreement" and click "Next" then Click "Scan"

If anything is located,please DO NOT choose Rename>>Just let it save the log!

If all went well,look back in the folder that blbeta.exe resides in,there you should see "fsbl.log"

Download rkfiles.zip and unzip it to its own permanent folder but dont run it yet!
http://skads.org/special/rkfiles.zip

Restart in Safe Mode

Locate the rkfiles.bat file and double-click it to run it.

It takes a while to run so please be patient and wait for the DOS window to close.

Reboot back to normal mode.

OK,I need you to download and run Silent Runners:
http://www.silentrun...ent Runners.zip

Unzip it and select Extract all files!

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

It will start scanning the System,be patient,it takes a bit!

Once Completed,it will produce a Notepad page,I need you to Copy&Paste those results into your next post!

I know this is a bit overbearing but we have to find out what is Reinfecting the Machine!

Locate C:\log.txt from RKFiles and fsbl.log from Blacklight and post those 2 along with the Silent Runners Log!

Now,while I look over these,I want you to Install these 3 utilities for Security reasons!

Please Download the MVPS HOSTS file to your Desktop!
http://www.mvps.org/...p2002/hosts.htm

Here is a link to help you if you need it
http://www.mvps.org/...2002/hosts2.htm

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Download the following file by right-clicking on the link and selecting Save As. Then save this file to your desktop.

AdwareDelete Reg Fix

Restart the PC in Safe Mode and Make sure Windows is Showing Hidden Files!

Open the Task Manager and See if AdwareDelete is running in the Processes!

There may be more than One instances of it running!

If it is Highlight and "End Process"

Open Killbox just as before and Try to Delete it just as before make sure all available selections are ticked before deleting!

While in the Task Manager,look for any of those Randomly generated 7 lettered entries,if you see one,Kill the Process and Delete the file which will be located in the Windows Folder (C:\Windows)

If the AdwareDelete folder was deleted successfully,Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-searchengine.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie-searchengine.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-searchengine.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-searchengine.com/

O4 - HKLM\..\Run: [AdwareDelete] C:\Program Files\AdwareDelete\adwaredelete.exe /h

O4 - HKCU\..\Run: [svdvbwb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [sxmlupb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [awtqfcu] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [wspwpgi] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [dmxufml] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [kuxgahg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [pmnvqpe] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [omsggod] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [lcpgnsj] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [byqeoxw] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mhxjwyq] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jxicuan] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [stcjwdg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jtleqps] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vqhvgcy] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [wjqhyvd] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [urttbbl] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vjhjnti] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [tfecwfm] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qfvfbkb] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mqwuiue] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qnstkix] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [cpvxlwp] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [cohjpya] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [plbndru] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [whktxhi] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [khuwcbm] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ehtnocq] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [bmqcjaq] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [nsstolf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [drgbjft] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [xhtodwc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ikdcaxc] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [xsukxwc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [bqmmajh] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [vxyxvxu] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ghrfpyp] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [mbhfoxj] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hdcpmdd] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [scuagub] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [lwemxyt] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ymlbdyk] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [htplooh] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [qmlyrlv] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [iqytrdv] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [rarugbe] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fxklyai] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ymoipgo] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [yyxddrs] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [aeidcbf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hrwhnyq] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [kkruagr] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [nbnmadw] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [gkpyaey] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ujurtbl] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [qprwlgc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [alnldwg] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [stgqrmf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [thbmmct] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [wxmwiii] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fbwvtom] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [jgcmlpb] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [boqpxdd] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [gqfsdys] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [brxrubr] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [fmdaxda] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fceacqa] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [clrxpqd] c:\windows\dbsqaqe.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Now Navigate to C:\Program Files and confirm that AdwareDelete is gone,if not attempt to delete manually!

Double-click on the adwaredelete.reg file on your desktop and allow it to merge the information into your registry.

Restart in Normal Mode and Post a fresh HijackThis log along with all 3 of the logs I asked for!

Edited by Cretemonster, 26 June 2005 - 01:05 AM.

[Jayzeee]

It apears that Adware delete has been deleted

Followed all your instructions...backlight found nothing and no log was created.


So here is the log from RKFiles:

C:\Documents and Settings\james\My Documents\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\ikhrsaaa.exe: UPX!
C:\WINDOWS\system32\kqhqaaaa.exe: UPX!
C:\WINDOWS\system32\nixbcaaa.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye


...and here is the log from silent runners:

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"svdvbwb" = "c:\windows\pvwkrpb.exe" [file not found]
"sxmlupb" = "c:\windows\pvwkrpb.exe" [file not found]
"awtqfcu" = "c:\windows\pvwkrpb.exe" [file not found]
"wspwpgi" = "c:\windows\fisqetn.exe" [file not found]
"dmxufml" = "c:\windows\fisqetn.exe" [file not found]
"kuxgahg" = "c:\windows\fisqetn.exe" [file not found]
"pmnvqpe" = "c:\windows\fisqetn.exe" [file not found]
"omsggod" = "c:\windows\fisqetn.exe" [file not found]
"lcpgnsj" = "c:\windows\fisqetn.exe" [file not found]
"byqeoxw" = "c:\windows\fisqetn.exe" [file not found]
"mhxjwyq" = "c:\windows\fisqetn.exe" [file not found]
"jxicuan" = "c:\windows\fisqetn.exe" [file not found]
"stcjwdg" = "c:\windows\fisqetn.exe" [file not found]
"jtleqps" = "c:\windows\fisqetn.exe" [file not found]
"vqhvgcy" = "c:\windows\fisqetn.exe" [file not found]
"wjqhyvd" = "c:\windows\fisqetn.exe" [file not found]
"urttbbl" = "c:\windows\fisqetn.exe" [file not found]
"vjhjnti" = "c:\windows\fisqetn.exe" [file not found]
"tfecwfm" = "c:\windows\fisqetn.exe" [file not found]
"qfvfbkb" = "c:\windows\fisqetn.exe" [file not found]
"mqwuiue" = "c:\windows\fisqetn.exe" [file not found]
"qnstkix" = "c:\windows\cpmdync.exe" [file not found]
"cpvxlwp" = "c:\windows\cpmdync.exe" [file not found]
"cohjpya" = "c:\windows\cpmdync.exe" [file not found]
"plbndru" = "c:\windows\ljdjydp.exe" [file not found]
"whktxhi" = "c:\windows\dbsqaqe.exe" [file not found]
"khuwcbm" = "c:\windows\ljdjydp.exe" [file not found]
"ehtnocq" = "c:\windows\dbsqaqe.exe" [file not found]
"bmqcjaq" = "c:\windows\ljdjydp.exe" [file not found]
"nsstolf" = "c:\windows\dbsqaqe.exe" [file not found]
"drgbjft" = "c:\windows\ljdjydp.exe" [file not found]
"xhtodwc" = "c:\windows\dbsqaqe.exe" [file not found]
"ikdcaxc" = "c:\windows\ljdjydp.exe" [file not found]
"xsukxwc" = "c:\windows\dbsqaqe.exe" [file not found]
"bqmmajh" = "c:\windows\ljdjydp.exe" [file not found]
"vxyxvxu" = "c:\windows\dbsqaqe.exe" [file not found]
"ghrfpyp" = "c:\windows\ljdjydp.exe" [file not found]
"mbhfoxj" = "c:\windows\dbsqaqe.exe" [file not found]
"hdcpmdd" = "c:\windows\ljdjydp.exe" [file not found]
"scuagub" = "c:\windows\dbsqaqe.exe" [file not found]
"lwemxyt" = "c:\windows\ljdjydp.exe" [file not found]
"ymlbdyk" = "c:\windows\dbsqaqe.exe" [file not found]
"htplooh" = "c:\windows\ljdjydp.exe" [file not found]
"qmlyrlv" = "c:\windows\dbsqaqe.exe" [file not found]
"iqytrdv" = "c:\windows\ljdjydp.exe" [file not found]
"rarugbe" = "c:\windows\dbsqaqe.exe" [file not found]
"fxklyai" = "c:\windows\ljdjydp.exe" [file not found]
"ymoipgo" = "c:\windows\dbsqaqe.exe" [file not found]
"yyxddrs" = "c:\windows\ljdjydp.exe" [file not found]
"aeidcbf" = "c:\windows\dbsqaqe.exe" [file not found]
"hrwhnyq" = "c:\windows\ljdjydp.exe" [file not found]
"kkruagr" = "c:\windows\dbsqaqe.exe" [file not found]
"nbnmadw" = "c:\windows\ljdjydp.exe" [file not found]
"gkpyaey" = "c:\windows\dbsqaqe.exe" [file not found]
"ujurtbl" = "c:\windows\ljdjydp.exe" [file not found]
"qprwlgc" = "c:\windows\dbsqaqe.exe" [file not found]
"alnldwg" = "c:\windows\ljdjydp.exe" [file not found]
"stgqrmf" = "c:\windows\dbsqaqe.exe" [file not found]
"thbmmct" = "c:\windows\ljdjydp.exe" [file not found]
"wxmwiii" = "c:\windows\dbsqaqe.exe" [file not found]
"fbwvtom" = "c:\windows\ljdjydp.exe" [file not found]
"jgcmlpb" = "c:\windows\dbsqaqe.exe" [file not found]
"boqpxdd" = "c:\windows\ljdjydp.exe" [file not found]
"gqfsdys" = "c:\windows\dbsqaqe.exe" [file not found]
"brxrubr" = "c:\windows\ljdjydp.exe" [file not found]
"fmdaxda" = "c:\windows\dbsqaqe.exe" [file not found]
"fceacqa" = "c:\windows\ljdjydp.exe" [file not found]
"clrxpqd" = "c:\windows\dbsqaqe.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"DataLayer" = "C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]
"AdwareDelete" = "C:\Program Files\AdwareDelete\adwaredelete.exe /h" ["AdwareDelete.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\System32\NavLogon.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "james" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Here is a fresh hyjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:29:04, on 26/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\james\My Documents\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1110277459853
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Thank-you so much for your help!!!

[Jayzeee]

Just loctated the backlight log...oops

So here it is:

06/26/05 12:53:41 [Info]: BlackLight Engine 1.0.14 initialized
06/26/05 12:53:41 [Info]: OS: 5.1 build 2600 (Service Pack 1)
06/26/05 12:53:41 [Note]: 4005 0
06/26/05 12:53:50 [Note]: 4006 0
06/26/05 12:53:50 [Note]: 4019 0
06/26/05 12:53:50 [Note]: 4019 1
06/26/05 12:53:51 [Note]: 4019 2
06/26/05 12:53:51 [Note]: 4019 3
06/26/05 12:53:51 [Note]: 4019 4
06/26/05 12:53:52 [Note]: FSRAW library version 1.7.1011
06/26/05 12:54:30 [Note]: 4019 5
06/26/05 12:54:30 [Note]: 4019 6
06/26/05 12:54:30 [Note]: 4019 7
06/26/05 12:54:30 [Note]: 4019 8
06/26/05 12:54:55 [Note]: 4007 0

[Wizard]

Hopefully you havent restarted since posting the logs!

Open Pocket KillBox and Paste the 3 entries below into it!

C:\WINDOWS\system32\ikhrsaaa.exe
C:\WINDOWS\system32\kqhqaaaa.exe
C:\WINDOWS\system32\nixbcaaa.exe

Place a tick by these Selections

"End Explorer Shell while Killing File"
and
"Delete on Reboot"

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Restart into Safe Mode and Scan with RKfiles once more to see if we got those buggers this time!

Once RKFiles is complete,Restart Normal!

Now Click Start>>Run>>Type in Regedit and Click OK!

Follow the Path below in Regedit and Delete the Keys I Specify!

Navigate to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look in the larger right hand pane and delete all these

"svdvbwb" = "c:\windows\pvwkrpb.exe"
"sxmlupb" = "c:\windows\pvwkrpb.exe"
"awtqfcu" = "c:\windows\pvwkrpb.exe"
"wspwpgi" = "c:\windows\fisqetn.exe"
"dmxufml" = "c:\windows\fisqetn.exe"
"kuxgahg" = "c:\windows\fisqetn.exe"
"pmnvqpe" = "c:\windows\fisqetn.exe"
"omsggod" = "c:\windows\fisqetn.exe"
"lcpgnsj" = "c:\windows\fisqetn.exe"
"byqeoxw" = "c:\windows\fisqetn.exe"
"mhxjwyq" = "c:\windows\fisqetn.exe"
"jxicuan" = "c:\windows\fisqetn.exe"
"stcjwdg" = "c:\windows\fisqetn.exe"
"jtleqps" = "c:\windows\fisqetn.exe"
"vqhvgcy" = "c:\windows\fisqetn.exe"
"wjqhyvd" = "c:\windows\fisqetn.exe"
"urttbbl" = "c:\windows\fisqetn.exe"
"vjhjnti" = "c:\windows\fisqetn.exe"
"tfecwfm" = "c:\windows\fisqetn.exe"
"qfvfbkb" = "c:\windows\fisqetn.exe"
"mqwuiue" = "c:\windows\fisqetn.exe"
"qnstkix" = "c:\windows\cpmdync.exe"
"cpvxlwp" = "c:\windows\cpmdync.exe"
"cohjpya" = "c:\windows\cpmdync.exe"
"plbndru" = "c:\windows\ljdjydp.exe"
"whktxhi" = "c:\windows\dbsqaqe.exe"
"khuwcbm" = "c:\windows\ljdjydp.exe"
"ehtnocq" = "c:\windows\dbsqaqe.exe"
"bmqcjaq" = "c:\windows\ljdjydp.exe"
"nsstolf" = "c:\windows\dbsqaqe.exe"
"drgbjft" = "c:\windows\ljdjydp.exe"
"xhtodwc" = "c:\windows\dbsqaqe.exe"
"ikdcaxc" = "c:\windows\ljdjydp.exe"
"xsukxwc" = "c:\windows\dbsqaqe.exe"
"bqmmajh" = "c:\windows\ljdjydp.exe"
"vxyxvxu" = "c:\windows\dbsqaqe.exe"
"ghrfpyp" = "c:\windows\ljdjydp.exe"
"mbhfoxj" = "c:\windows\dbsqaqe.exe"
"hdcpmdd" = "c:\windows\ljdjydp.exe"
"scuagub" = "c:\windows\dbsqaqe.exe"
"lwemxyt" = "c:\windows\ljdjydp.exe"
"ymlbdyk" = "c:\windows\dbsqaqe.exe"
"htplooh" = "c:\windows\ljdjydp.exe"
"qmlyrlv" = "c:\windows\dbsqaqe.exe"
"iqytrdv" = "c:\windows\ljdjydp.exe"
"rarugbe" = "c:\windows\dbsqaqe.exe"
"fxklyai" = "c:\windows\ljdjydp.exe"
"ymoipgo" = "c:\windows\dbsqaqe.exe"
"yyxddrs" = "c:\windows\ljdjydp.exe"
"aeidcbf" = "c:\windows\dbsqaqe.exe"
"hrwhnyq" = "c:\windows\ljdjydp.exe"
"kkruagr" = "c:\windows\dbsqaqe.exe"
"nbnmadw" = "c:\windows\ljdjydp.exe"
"gkpyaey" = "c:\windows\dbsqaqe.exe"
"ujurtbl" = "c:\windows\ljdjydp.exe"
"qprwlgc" = "c:\windows\dbsqaqe.exe"
"alnldwg" = "c:\windows\ljdjydp.exe"
"stgqrmf" = "c:\windows\dbsqaqe.exe"
"thbmmct" = "c:\windows\ljdjydp.exe"
"wxmwiii" = "c:\windows\dbsqaqe.exe"
"fbwvtom" = "c:\windows\ljdjydp.exe"
"jgcmlpb" = "c:\windows\dbsqaqe.exe"
"boqpxdd" = "c:\windows\ljdjydp.exe"
"gqfsdys" = "c:\windows\dbsqaqe.exe"
"brxrubr" = "c:\windows\ljdjydp.exe"
"fmdaxda" = "c:\windows\dbsqaqe.exe"
"fceacqa" = "c:\windows\ljdjydp.exe"
"clrxpqd" = "c:\windows\dbsqaqe.exe"

Now follow this path and navigate to here

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the key from the right hand pane

"AdwareDelete" = "C:\Program Files\AdwareDelete\adwaredelete.exe /h"

Download RegScrubXP v.3.25
http://www.majorgeek...wnload2048.html

Now locate and open RegScrubXP and Click "RegScrubXP finds Problems"

Let it scan the System and when it completes Click "Select all Problems" and "Fix Selected Problems"

Restart once more and Scan with Silent Runners again!

I know you have to be sick of Scans but I am hoping this will get it all!

Post back with the logs from RKFiles and Silent Runners!

Edited by Cretemonster, 26 June 2005 - 10:19 AM.

[Jayzeee]

I couldn't locate:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

or

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

in the registry???

Here is the silent runners scan:

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"DataLayer" = "C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\System32\NavLogon.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "james" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


Here is the RKFiles scan:

C:\Documents and Settings\james\My Documents\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

Unfortunately I had restarted since my previous post!!!

[Jayzeee]

Here is s fresh hyjackthis scan...just in case...

Logfile of HijackThis v1.99.1
Scan saved at 18:40:17, on 26/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Documents and Settings\james\My Documents\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1110277459853
O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) - http://klikw.com/awd/cabs/10110.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe