Hello!!
followed your instructions, just a couple of things...
When I opened task manager in safe mode -
wljvnqv.exe was not there!?!
Also when I enterd the file names into Killbox, the following files came up with an error message saying "This file does not exist":
c:\windows\wjekyop.exe
c:\windows\pvwkrpb.exe
c:\windows\fisqetn.exe
c:\windows\cpmdync.exe
c:\windows\ljdjydp.exe
c:\windows\dbsqaqe.exe
C:\WINDOWS\System32\msopengl.dllIt deleted all other files except
C:\Program Files\AdwareDelete So I did the "delete on reboot" option in Killbox
here are the results from the Ewido scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 02:14:25, 26/06/2005
+ Report-Checksum: E72FA6E3
+ Date of database: 25/06/2005
+ Version of scan engine: v3.0
+ Duration: 41 min
+ Scanned Files: 31239
+ Speed: 12.55 Files/Second
+ Infected files: 56
+ Removed files: 56
+ Files put in quarantine: 56
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\!Submit\jypxwui.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\lxntdyje.exe -> Spyware.Searcher -> Cleaned with backup
C:\!Submit\wljvnqv.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@10723326[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@247realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@bfast[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@dcss3oxau5twkf4oma0cdcas2_2o4b[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\emi@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Emi\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\
[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@sexlist[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@sextracker[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\
[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Cookies\james@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\ZA4ZJ5CL\down[1].exe -> Trojan.Agent.eo -> Cleaned with backup
C:\Documents and Settings\james\My Documents\sample files\wjekyop.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Systems\Backupqthnoewj -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupcpmdync -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupdbsqaqe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupfisqetn -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupljdjydp -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backuppvwkrpb -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupwjekyop -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\spywad\Window\Backupwljvnqv -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\hirywnr.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
::Report End
Here is a fresh Hyjackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 02:39:25, on 26/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\AdwareDelete\adwaredelete.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AdwareDelete\adwaredelete.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\james\My Documents\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie-searchengine.com/sp.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://ie-searchengine.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie-searchengine.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://ie-searchengine.com/sp.htmR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://ie-searchengine.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [AdwareDelete] C:\Program Files\AdwareDelete\adwaredelete.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [svdvbwb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [sxmlupb] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [awtqfcu] c:\windows\pvwkrpb.exe
O4 - HKCU\..\Run: [wspwpgi] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [dmxufml] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [kuxgahg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [pmnvqpe] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [omsggod] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [lcpgnsj] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [byqeoxw] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mhxjwyq] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jxicuan] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [stcjwdg] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [jtleqps] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vqhvgcy] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [wjqhyvd] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [urttbbl] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [vjhjnti] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [tfecwfm] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qfvfbkb] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [mqwuiue] c:\windows\fisqetn.exe
O4 - HKCU\..\Run: [qnstkix] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [cpvxlwp] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [cohjpya] c:\windows\cpmdync.exe
O4 - HKCU\..\Run: [plbndru] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [whktxhi] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [khuwcbm] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ehtnocq] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [bmqcjaq] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [nsstolf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [drgbjft] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [xhtodwc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ikdcaxc] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [xsukxwc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [bqmmajh] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [vxyxvxu] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ghrfpyp] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [mbhfoxj] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hdcpmdd] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [scuagub] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [lwemxyt] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ymlbdyk] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [htplooh] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [qmlyrlv] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [iqytrdv] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [rarugbe] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fxklyai] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [ymoipgo] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [yyxddrs] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [aeidcbf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [hrwhnyq] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [kkruagr] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [nbnmadw] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [gkpyaey] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [ujurtbl] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [qprwlgc] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [alnldwg] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [stgqrmf] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [thbmmct] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [wxmwiii] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fbwvtom] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [jgcmlpb] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [boqpxdd] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [gqfsdys] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [brxrubr] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [fmdaxda] c:\windows\dbsqaqe.exe
O4 - HKCU\..\Run: [fceacqa] c:\windows\ljdjydp.exe
O4 - HKCU\..\Run: [clrxpqd] c:\windows\dbsqaqe.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.t...all/xscan60.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...b?1110277459853O16 - DPF: {FCC56E79-0FA2-4969-9164-06F140763455} (ActiveFormX Control) -
http://klikw.com/awd/cabs/10110.cabO20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
On re-boot still no change...