Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Tried and tried, just cant get rid [RESOLVED]

Started by peb , Aug 05 2005 01:25 PM

  • This topic is locked This topic is locked

#1
peb
Posted 05 August 2005 - 01:25 PM

peb

    Member

  • Member
  • PipPip
  • 22 posts
Hi

I've tried all day to get rid of my problem. Sometimes Ad aware finds 120 probs then just two. However I am having the same problems over and over. Task bar with three icons telling me that i am infected (chicky sods) and my browser is also hijacked. etc etc.

can anyone help?
I have in the past sorted any problems out from lurking on this site but i am now stumped.

Thanks in advance

peb



Logfile of HijackThis v1.99.1
Scan saved at 20:21:50, on 05/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QKeys\QKeys.EXE
C:\Program Files\Wireless 11Mbps Network\XPFix.exe
C:\WINDOWS\System32\am772cfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\intell32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\winstall.exe
C:\windows\ocqwydm.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\winstall.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QKeys] C:\Program Files\QKeys\QKeys.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alice] C:\Program Files\Wireless 11Mbps Network\XPFix.exe
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINDOWS\System32\am772cfg.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mdqu1V4A] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [eatigpy] c:\windows\ocqwydm.exe
O4 - HKCU\..\Run: [ypquavp] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [jiusyxe] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [hgeijml] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [fyfuatj] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [racktvx] c:\windows\uubqvqp.exe
O4 - HKCU\..\Run: [isfrcud] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [npsevye] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xytgngl] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [vmxiert] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xnteywr] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [hpocpbq] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ycvmmqx] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ytksstd] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [xsfxmkh] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [rxxebgq] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [prqkixi] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [cwfpnsm] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [kykeelt] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [gbrpylv] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [qetaske] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [dohibho] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [fxpwkfh] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [poawofy] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [bkoqgkq] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [knevtxc] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [ofgcfha] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [krtpdjh] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [atkqpgf] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [jffsjkd] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [mtgaywa] c:\windows\dhkcnaw.exe
O4 - HKCU\..\Run: [nrorejh] c:\windows\wweopbs.exe
O4 - HKCU\..\Run: [cqymbcs] c:\windows\xbxpmwf.exe
O4 - HKCU\..\Run: [nnmycut] c:\windows\wvxsfgv.exe
O4 - HKCU\..\Run: [ayhadbq] c:\windows\nqrkdwv.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...hm::/update.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

Advertisements

#2
Rawe
Posted 05 August 2005 - 01:31 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Please print these instructions out, or write them down, as you can't read them during the fix. Be sure to ask any question(s) before proceeding the fix.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download CleanUp!

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Launch Ad-Aware SE and click on the gear to access the Configuration menu. Please make sure that this setting is applied;

Click on Tweak => Cleaning engine => UNcheck "Always try to unload modules before deletion". Then do a Full System Scan. Remove anything it finds.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Run CleanUp! making sure to reboot when prompted.

Boot up into normal mode and run the following free online scans here;
Trend Micro
Panda Activescan

Let them fix anything they can, post the results here along with the Ewido & fresh HiJackThis log.

- Rawe :tazz:
  • 0

#3
peb
Posted 05 August 2005 - 01:37 PM

peb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks - i am giving it a go now


peb
  • 0

#4
Rawe
Posted 06 August 2005 - 09:39 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Sure. Post the logs whenever you're ready :tazz:
  • 0

#5
peb
Posted 06 August 2005 - 09:58 AM

peb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
big probs, spent all last night and again today trying to complete the tasks.
in the end i couldnt get house call to work (invalid licence) and panda just stalled left it for 5 hours!

After rebooting (after clean up) everything seemed to be worse.

Ewido report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:03:51, 06/08/2005
+ Report-Checksum: 5774F040

+ Scan result:

C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_1.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_2.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup



My new log file


Logfile of HijackThis v1.99.1
Scan saved at 16:54:53, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QKeys\QKeys.EXE
C:\Program Files\Wireless 11Mbps Network\XPFix.exe
C:\WINDOWS\System32\am772cfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program

Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\ocqwydm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package

Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package

Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://abcsearch4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://abcsearch4u.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -

C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI

Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QKeys] C:\Program Files\QKeys\QKeys.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alice] C:\Program Files\Wireless 11Mbps

Network\XPFix.exe
O4 - HKLM\..\Run: [AMD Wireless Network Configuration]

"C:\WINDOWS\System32\am772cfg.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mdqu1V4A] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program

Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program

Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program

Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program

Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [navapp] C:\Program

Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program

Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program

Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program

Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia

PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer]

C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter

4.2\THGuard.exe"
O4 - HKLM\..\Run: [}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe"]

C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe"]

C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [eatigpy] c:\windows\ocqwydm.exe
O4 - HKCU\..\Run: [ypquavp] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [jiusyxe] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [hgeijml] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [fyfuatj] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [racktvx] c:\windows\uubqvqp.exe
O4 - HKCU\..\Run: [isfrcud] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [npsevye] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xytgngl] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [vmxiert] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xnteywr] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [hpocpbq] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ycvmmqx] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ytksstd] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [xsfxmkh] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [rxxebgq] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [prqkixi] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [cwfpnsm] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [kykeelt] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [gbrpylv] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [qetaske] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [dohibho] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [fxpwkfh] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [poawofy] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [bkoqgkq] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [knevtxc] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [ofgcfha] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [krtpdjh] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [atkqpgf] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search

& Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [jffsjkd] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [mtgaywa] c:\windows\dhkcnaw.exe
O4 - HKCU\..\Run: [nrorejh] c:\windows\wweopbs.exe
O4 - HKCU\..\Run: [cqymbcs] c:\windows\xbxpmwf.exe
O4 - HKCU\..\Run: [nnmycut] c:\windows\wvxsfgv.exe
O4 - HKCU\..\Run: [ayhadbq] c:\windows\nqrkdwv.exe
O4 - HKCU\..\Run: [nmnkmjh] c:\windows\qthfbhn.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [sncfqxd] c:\windows\avclcgr.exe
O4 - HKCU\..\Run: [bqulkgy] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program

Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [xrlemwc] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wgjphif] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [uysvbvw] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [axlsnsg] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jyrwpjj] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [hiyrkae] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [leepdff] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wlyfhdb] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [opefyyn] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [pkxhjah] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [yxlhtgq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [celvhnm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ohsjcmm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [rdcilcq] c:\windows\blpuhdk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List -

res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -

res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://appldnld.m7z....WW/win/019-0312.

20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...trendmicro.com/

housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} -

ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...//main.chm::/up

date.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - -

C:\WINDOWS\SYSTEM32\slserv.exe





:tazz:

Cheers, hoping this can be fixed

peb
  • 0

#6
Rawe
Posted 06 August 2005 - 10:01 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, firstly, can you please post a new HiJackThis log. Make sure WordWrap isn't selected on the notepad. Your log is hard to read like that.
Next, can you see if this works for you;

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post the new HJT log with the Kaspersky results.

- Rawe :tazz:
  • 0

#7
peb
Posted 06 August 2005 - 10:18 AM

peb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
sorry bout the wrap.

here is my hijack this log file:

Logfile of HijackThis v1.99.1
Scan saved at 17:16:29, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QKeys\QKeys.EXE
C:\Program Files\Wireless 11Mbps Network\XPFix.exe
C:\WINDOWS\System32\am772cfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\ocqwydm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QKeys] C:\Program Files\QKeys\QKeys.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alice] C:\Program Files\Wireless 11Mbps Network\XPFix.exe
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINDOWS\System32\am772cfg.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mdqu1V4A] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe"] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe"] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [eatigpy] c:\windows\ocqwydm.exe
O4 - HKCU\..\Run: [ypquavp] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [jiusyxe] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [hgeijml] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [fyfuatj] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [racktvx] c:\windows\uubqvqp.exe
O4 - HKCU\..\Run: [isfrcud] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [npsevye] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xytgngl] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [vmxiert] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xnteywr] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [hpocpbq] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ycvmmqx] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ytksstd] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [xsfxmkh] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [rxxebgq] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [prqkixi] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [cwfpnsm] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [kykeelt] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [gbrpylv] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [qetaske] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [dohibho] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [fxpwkfh] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [poawofy] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [bkoqgkq] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [knevtxc] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [ofgcfha] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [krtpdjh] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [atkqpgf] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [jffsjkd] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [mtgaywa] c:\windows\dhkcnaw.exe
O4 - HKCU\..\Run: [nrorejh] c:\windows\wweopbs.exe
O4 - HKCU\..\Run: [cqymbcs] c:\windows\xbxpmwf.exe
O4 - HKCU\..\Run: [nnmycut] c:\windows\wvxsfgv.exe
O4 - HKCU\..\Run: [ayhadbq] c:\windows\nqrkdwv.exe
O4 - HKCU\..\Run: [nmnkmjh] c:\windows\qthfbhn.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [sncfqxd] c:\windows\avclcgr.exe
O4 - HKCU\..\Run: [bqulkgy] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [xrlemwc] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wgjphif] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [uysvbvw] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [axlsnsg] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jyrwpjj] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [hiyrkae] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [leepdff] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wlyfhdb] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [opefyyn] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [pkxhjah] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [yxlhtgq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [celvhnm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ohsjcmm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [rdcilcq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jnbwcmt] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ijvietk] c:\windows\blpuhdk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...hm::/update.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

#8
Rawe
Posted 06 August 2005 - 10:25 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
So, does Kaspersky's online scan work for you or not? If it does, I'd like to see that log please.
  • 0

#9
peb
Posted 06 August 2005 - 10:29 AM

peb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
scan in progress i will give details later


:tazz: peb
  • 0

#10
peb
Posted 06 August 2005 - 12:30 PM

peb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ok here is the scan result.

hope you can help

peb

KASPERSKY ON-LINE SCANNER REPORT
Saturday, August 06, 2005 19:27:31
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/08/2005
Kaspersky Anti-Virus database records: 134083
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 69733
Number of viruses found: 12
Number of infected objects: 38
Number of suspicious objects: 13
Duration of the scan process: 7096 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots\RegDPF-Global.reg Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\KL88Z3S5\strpg[1].chm/update.exe Infected: Trojan.Win32.Small.ev
C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\KL88Z3S5\strpg[1].chm Infected: Trojan.Win32.Small.ev
C:\Documents and Settings\paul\Local Settings\Temporary Internet Files\Content.IE5\KL88Z3S5\update[1].exe Infected: Trojan.Win32.Small.ev
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/01 Apr 2004 23:14 from [email protected]:Mail Deliv.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/05 Apr 2004 19:20 from [email protected]:Mail Delivery (failure .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/04 Apr 2004 16:53 from [email protected]:Mail Delivery (failu.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/07 Apr 2004 23:09 from [email protected]:Mail Delivery (failure.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/06 Apr 2004 22:59 from [email protected]:Mail Delivery (fa.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/06 Apr 2004 16:36 from [email protected]:Mail Delivery (failu.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Apr 2004 20:58 from [email protected]:Mail Delivery (failu.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/03 Apr 2004 16:55 from [email protected]:Mail Delivery (fail.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\My old Disk Structure -- 05-01-10 0812AM\Documents and Settings\Work\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Hijackthis\hijackthis.log Suspicious: Exploit.HTML.Mht
C:\Program Files\Hijackthis\hijackthis060805.txt Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0036178.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0037195.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0037282.exe Infected: Trojan-Downloader.Win32.Small.agq
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0037291.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0037332.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0037344.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0037360.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0037401.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP176\A0037417.exe Infected: Trojan-Downloader.Win32.Small.awa
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP177\A0037529.exe Infected: not-virus:BadJoke.Win32.Likesurf
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP177\A0037530.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP179\A0038583.reg Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP179\A0038608.exe Infected: not-virus:Hoax.Win32.Renos.j
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP179\A0038612.exe Infected: not-virus:Hoax.Win32.Renos.j
C:\WINDOWS\avclcgr.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\blpuhdk.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\dhkcnaw.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\expnrfc.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\fahmdau.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\gceetly.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\icc.dll Infected: Trojan.Win32.Dialer.kb
C:\WINDOWS\iccontrol.exe Infected: Trojan.Win32.Dialer.kb
C:\WINDOWS\nqrkdwv.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\ocqwydm.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\qthfbhn.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\rmcnclc.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\system32\frhdcjri.exe Infected: Trojan-Clicker.Win32.LowZones.c
C:\WINDOWS\system32\oleext.dll Infected: Trojan-Downloader.Win32.Agent.ns
C:\WINDOWS\system32\tobchaaa.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\system32\wininet.dll Infected: Virus.Win32.Nsag.b
C:\WINDOWS\usngguo.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\uubqvqp.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\wjdcclw.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\wvxsfgv.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\wweopbs.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\xbxpmwf.exe Infected: Trojan.Win32.StartPage.abc

Scan process completed.










Logfile of HijackThis v1.99.1
Scan saved at 19:29:16, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QKeys\QKeys.EXE
C:\Program Files\Wireless 11Mbps Network\XPFix.exe
C:\WINDOWS\System32\am772cfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\ocqwydm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QKeys] C:\Program Files\QKeys\QKeys.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alice] C:\Program Files\Wireless 11Mbps Network\XPFix.exe
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINDOWS\System32\am772cfg.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mdqu1V4A] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe"] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe"] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [eatigpy] c:\windows\ocqwydm.exe
O4 - HKCU\..\Run: [ypquavp] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [jiusyxe] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [hgeijml] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [fyfuatj] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [racktvx] c:\windows\uubqvqp.exe
O4 - HKCU\..\Run: [isfrcud] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [npsevye] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xytgngl] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [vmxiert] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xnteywr] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [hpocpbq] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ycvmmqx] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ytksstd] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [xsfxmkh] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [rxxebgq] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [prqkixi] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [cwfpnsm] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [kykeelt] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [gbrpylv] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [qetaske] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [dohibho] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [fxpwkfh] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [poawofy] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [bkoqgkq] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [knevtxc] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [ofgcfha] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [krtpdjh] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [atkqpgf] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [jffsjkd] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [mtgaywa] c:\windows\dhkcnaw.exe
O4 - HKCU\..\Run: [nrorejh] c:\windows\wweopbs.exe
O4 - HKCU\..\Run: [cqymbcs] c:\windows\xbxpmwf.exe
O4 - HKCU\..\Run: [nnmycut] c:\windows\wvxsfgv.exe
O4 - HKCU\..\Run: [ayhadbq] c:\windows\nqrkdwv.exe
O4 - HKCU\..\Run: [nmnkmjh] c:\windows\qthfbhn.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [sncfqxd] c:\windows\avclcgr.exe
O4 - HKCU\..\Run: [bqulkgy] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [xrlemwc] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wgjphif] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [uysvbvw] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [axlsnsg] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jyrwpjj] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [hiyrkae] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [leepdff] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wlyfhdb] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [opefyyn] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [pkxhjah] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [yxlhtgq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [celvhnm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ohsjcmm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [rdcilcq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jnbwcmt] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ijvietk] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [xgjjryh] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [aeqnsbd] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [sbrrwns] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [igiedxp] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [buipoej] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [lsrisas] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [bxoxhjs] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [kfhlrqy] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [fumdaws] c:\windows\blpuhdk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...hm::/update.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

Advertisements

#11
Rawe
Posted 06 August 2005 - 12:49 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, I guess we have to go at this manually then.

Please print these instructions out, or write them down, as you can't read them during the fix.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Download smitRem.exe and save the file to your desktop.
Double-click on the file to extract it to it's own folder on the desktop.

Download
CleanUp

Run the CleanUp! installer and then run the program. Let the system reboot - boot up into Safe Mode;

Next, please reboot your computer in Safe Mode by doing the following;
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

=====
Run a scan with HiJackThis and check the following objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Mdqu1V4A] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe"] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe"] C:\WINDOWS\imlxq.exe
O4 - HKCU\..\Run: [eatigpy] c:\windows\ocqwydm.exe
O4 - HKCU\..\Run: [ypquavp] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [jiusyxe] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [hgeijml] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [fyfuatj] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [racktvx] c:\windows\uubqvqp.exe
O4 - HKCU\..\Run: [isfrcud] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [npsevye] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xytgngl] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [vmxiert] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xnteywr] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [hpocpbq] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ycvmmqx] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ytksstd] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [xsfxmkh] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [rxxebgq] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [prqkixi] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [cwfpnsm] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [kykeelt] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [gbrpylv] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [qetaske] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [dohibho] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [fxpwkfh] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [poawofy] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [bkoqgkq] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [knevtxc] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [ofgcfha] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [krtpdjh] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [atkqpgf] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [jffsjkd] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [mtgaywa] c:\windows\dhkcnaw.exe
O4 - HKCU\..\Run: [nrorejh] c:\windows\wweopbs.exe
O4 - HKCU\..\Run: [cqymbcs] c:\windows\xbxpmwf.exe
O4 - HKCU\..\Run: [nnmycut] c:\windows\wvxsfgv.exe
O4 - HKCU\..\Run: [ayhadbq] c:\windows\nqrkdwv.exe
O4 - HKCU\..\Run: [nmnkmjh] c:\windows\qthfbhn.exe
O4 - HKCU\..\Run: [sncfqxd] c:\windows\avclcgr.exe
O4 - HKCU\..\Run: [bqulkgy] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [xrlemwc] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wgjphif] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [uysvbvw] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [axlsnsg] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jyrwpjj] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [hiyrkae] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [leepdff] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wlyfhdb] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [opefyyn] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [pkxhjah] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [yxlhtgq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [celvhnm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ohsjcmm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [rdcilcq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jnbwcmt] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ijvietk] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [xgjjryh] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [aeqnsbd] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [sbrrwns] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [igiedxp] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [buipoej] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [lsrisas] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [bxoxhjs] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [kfhlrqy] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [fumdaws] c:\windows\blpuhdk.exe
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...hm::/update.exe

Close any other open windows and/or open browsers, making sure that only HiJackThis is running. Make sure that the above mentioned objects are all checked, then hit "Fix Checked".
=====

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Go to -> Start -> Control Panel -> Add/Remove programs and uninstall the following entry if present;

ISTsvc

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Using Windows Explorer, locate the following files & folder and delete if present;

C:\Program Files\ISTsvc\ <= Entire Folder
C:\WINDOWS\imlxq.exe
c:\windows\ocqwydm.exe
c:\windows\fahmdau.exe
c:\windows\uubqvqp.exe
c:\windows\rmcnclc.exe
c:\windows\gceetly.exe
c:\windows\expnrfc.exe
c:\windows\wjdcclw.exe
c:\windows\usngguo.exe
c:\windows\dhkcnaw.exe
c:\windows\wweopbs.exe
c:\windows\xbxpmwf.exe
c:\windows\wvxsfgv.exe
c:\windows\nqrkdwv.exe
c:\windows\qthfbhn.exe
c:\windows\avclcgr.exe
c:\windows\blpuhdk.exe

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Run CleanUp! making sure to reboot!

Post a fresh HijackThis Log along with the contents of the smitfiles.txt log.

- Rawe :tazz:
  • 0

#12
peb
Posted 07 August 2005 - 02:58 AM

peb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi again,

Everything is looking different? but most things seem to have gone, however my hoepage is still hijacked. My computer crashed doing a disk clean so i ran smitrem again i hope that this hasn't messed up the log?

Thank you for all your time spent on this. I think that it is nearly cleaned!

here are the log files

Logfile of HijackThis v1.99.1
Scan saved at 09:50:26, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QKeys\QKeys.EXE
C:\Program Files\Wireless 11Mbps Network\XPFix.exe
C:\WINDOWS\System32\am772cfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QKeys] C:\Program Files\QKeys\QKeys.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alice] C:\Program Files\Wireless 11Mbps Network\XPFix.exe
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINDOWS\System32\am772cfg.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [aavfgqh] c:\windows\dhkcnaw.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe



smitRem log file
version 2.3

by noahdfear

The current date is: 07/08/2005
The current time is: 9:16:26.50

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:
  • 0

#13
Metallica
Posted 07 August 2005 - 03:35 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/

O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe

O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [aavfgqh] c:\windows\dhkcnaw.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab

Reboot into safe mode and delete:
C:\Program Files\NavExcel <= entire folder

After reboot, please download RKFiles from HERE
  • Unzip RKfiles.zip to the desktop
  • Double-click RKFiles.bat to run it.
    • It may take a while.
  • When it is finished a window should appear with a log.
  • Please copy the contents of the log and paste them here
    • Note: the log with be saved at c:\log.txt
Regards,
  • 0

#14
peb
Posted 07 August 2005 - 03:54 AM

peb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello again,

before i do everything i think that you sholud see my new log. It looks like it is all back again! Could you let me know what else to delete

Logfile of HijackThis v1.99.1
Scan saved at 10:51:01, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QKeys\QKeys.EXE
C:\Program Files\Wireless 11Mbps Network\XPFix.exe
C:\WINDOWS\System32\am772cfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QKeys] C:\Program Files\QKeys\QKeys.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alice] C:\Program Files\Wireless 11Mbps Network\XPFix.exe
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINDOWS\System32\am772cfg.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Mdqu1V4A] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe"] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe"] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\imlxq.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [aavfgqh] c:\windows\dhkcnaw.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eatigpy] c:\windows\ocqwydm.exe
O4 - HKCU\..\Run: [ypquavp] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [jiusyxe] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [hgeijml] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [fyfuatj] c:\windows\fahmdau.exe
O4 - HKCU\..\Run: [racktvx] c:\windows\uubqvqp.exe
O4 - HKCU\..\Run: [isfrcud] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [npsevye] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xytgngl] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [vmxiert] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [xnteywr] c:\windows\rmcnclc.exe
O4 - HKCU\..\Run: [hpocpbq] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ycvmmqx] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [ytksstd] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [xsfxmkh] c:\windows\gceetly.exe
O4 - HKCU\..\Run: [rxxebgq] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [prqkixi] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [cwfpnsm] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [kykeelt] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [gbrpylv] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [qetaske] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [dohibho] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [fxpwkfh] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [poawofy] c:\windows\expnrfc.exe
O4 - HKCU\..\Run: [bkoqgkq] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [knevtxc] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [ofgcfha] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [krtpdjh] c:\windows\wjdcclw.exe
O4 - HKCU\..\Run: [atkqpgf] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [jffsjkd] c:\windows\usngguo.exe
O4 - HKCU\..\Run: [mtgaywa] c:\windows\dhkcnaw.exe
O4 - HKCU\..\Run: [nrorejh] c:\windows\wweopbs.exe
O4 - HKCU\..\Run: [cqymbcs] c:\windows\xbxpmwf.exe
O4 - HKCU\..\Run: [nnmycut] c:\windows\wvxsfgv.exe
O4 - HKCU\..\Run: [ayhadbq] c:\windows\nqrkdwv.exe
O4 - HKCU\..\Run: [nmnkmjh] c:\windows\qthfbhn.exe
O4 - HKCU\..\Run: [sncfqxd] c:\windows\avclcgr.exe
O4 - HKCU\..\Run: [bqulkgy] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [xrlemwc] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wgjphif] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [uysvbvw] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [axlsnsg] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jyrwpjj] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [hiyrkae] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [leepdff] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [wlyfhdb] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [opefyyn] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [pkxhjah] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [yxlhtgq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [celvhnm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ohsjcmm] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [rdcilcq] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [jnbwcmt] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [ijvietk] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [xgjjryh] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [aeqnsbd] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [sbrrwns] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [igiedxp] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [buipoej] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [lsrisas] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [bxoxhjs] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [kfhlrqy] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [fumdaws] c:\windows\blpuhdk.exe
O4 - HKCU\..\Run: [oscdndo] c:\windows\fegmteb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...hm::/update.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

#15
peb
Posted 07 August 2005 - 04:56 AM

peb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
looking better but my desktop is alternating between being blank and saying that I am infected.

log file:

C:\Documents and Settings\paul\My Documents\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\avisynth.dll: UPX!
C:\WINDOWS\system32\fmnvfaaa.exe: UPX!
C:\WINDOWS\system32\frhdcjri.exe: UPX!
C:\WINDOWS\system32\oleext.dll: UPX!
C:\WINDOWS\system32\tobchaaa.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\oembios.bin: PEc2x

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\madchook.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye


also new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 11:54:20, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QKeys\QKeys.EXE
C:\Program Files\Wireless 11Mbps Network\XPFix.exe
C:\WINDOWS\System32\am772cfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QKeys] C:\Program Files\QKeys\QKeys.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alice] C:\Program Files\Wireless 11Mbps Network\XPFix.exe
O4 - HKLM\..\Run: [AMD Wireless Network Configuration] "C:\WINDOWS\System32\am772cfg.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...hm::/update.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP