Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

a lot of malware affecting internet

Started by elle0622 , Aug 27 2005 12:07 PM

  • This topic is locked This topic is locked

#1
elle0622
Posted 27 August 2005 - 12:07 PM

elle0622

    New Member

  • Member
  • Pip
  • 7 posts
When I click on Internet Explorer, rather than getting my home page I get something that says "Premium Search Results" that displays a lot of links. It says it's from the Local Settings..Temp folder. Then when I search on Google I don't get real results, but links similar to the ones on my 'home page.' When I tried to download Opera and Mozilla Firefox they both said they could not establish an internet connection. Lastly, as of yesterday, AIM won't work, and displays the message "The AIM service cannot be reached."

Here's the HiJack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 2:03:30 PM, on 8/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\clusapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\secserv.exe
C:\WINDOWS\System32\secserv.exe
C:\WINDOWS\system\SMSS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Maryellen\Local Settings\Temporary Internet Files\Content.IE5\FQCJFLWD\HijackThis[1].exe

O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O2 - BHO: (no name) - {5483427F-93B8-1470-5A89-E6B56484CDB2} - C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp\qlwxajevuxm.dll
O4 - HKLM\..\Run: [secserv.exe] C:\WINDOWS\System32\secserv.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\kedhe319.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\shlgntfy.dll (file missing)
O21 - SSODL: fALpymUAC - {FC17FDB6-56BD-571C-8A4D-8B4CC7A201AD} - C:\WINDOWS\System32\gwk.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: clusapi - Unknown owner - C:\WINDOWS\System32\clusapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity_BackUp) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thank you for any help possible.
  • 0

Advertisements

#2
g2i2r4
Posted 27 August 2005 - 01:56 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome elle0622 to Geeks to Go!


We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Download and unzip http://metallica.gee...m/MADEbyOSC.zip
Run the file by doubleclicking metallica.bat
and post the log.
Do not reboot untill I have looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.
  • 0

#3
elle0622
Posted 27 August 2005 - 10:50 PM

elle0622

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for your help so far. Do I copy the log from the metallica file or a new HiJack This log? If I'm supposed to be copying the one from the metallica file, how do I do it? I tried to copy it, but I couldn't. Sorry for any confusion, I'm not that great with computers.
Thanks again!

(just incase you meant the hijack this log, this is it):
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system\SVCHOST.EXE
C:\WINDOWS\system\SMSS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system\SVCHOST.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O1 - Hosts: 66.180.173.39 www.google.ae
O1 - Hosts: 66.180.173.39 www.google.am
O1 - Hosts: 66.180.173.39 www.google.as
O1 - Hosts: 66.180.173.39 www.google.at
O1 - Hosts: 66.180.173.39 www.google.az
O1 - Hosts: 66.180.173.39 www.google.be
O1 - Hosts: 66.180.173.39 www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca
O1 - Hosts: 66.180.173.39 www.google.cd
O1 - Hosts: 66.180.173.39 www.google.cg
O1 - Hosts: 66.180.173.39 www.google.ch
O1 - Hosts: 66.180.173.39 www.google.ci
O1 - Hosts: 66.180.173.39 www.google.cl
O1 - Hosts: 66.180.173.39 www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu
O1 - Hosts: 66.180.173.39 www.google.co.il
O1 - Hosts: 66.180.173.39 www.google.co.in
O1 - Hosts: 66.180.173.39 www.google.co.je
O1 - Hosts: 66.180.173.39 www.google.co.jp
O1 - Hosts: 66.180.173.39 www.google.co.ke
O1 - Hosts: 66.180.173.39 www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls
O1 - Hosts: 66.180.173.39 www.google.co.nz
O1 - Hosts: 66.180.173.39 www.google.co.th
O1 - Hosts: 66.180.173.39 www.google.co.ug
O1 - Hosts: 66.180.173.39 www.google.co.uk
O1 - Hosts: 66.180.173.39 www.google.co.ve
O1 - Hosts: 66.180.173.39 www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag
O1 - Hosts: 66.180.173.39 www.google.com.ar
O1 - Hosts: 66.180.173.39 www.google.com.au
O1 - Hosts: 66.180.173.39 www.google.com.br
O1 - Hosts: 66.180.173.39 www.google.com.co
O1 - Hosts: 66.180.173.39 www.google.com.cu
O1 - Hosts: 66.180.173.39 www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec
O1 - Hosts: 66.180.173.39 www.google.com.fj
O1 - Hosts: 66.180.173.39 www.google.com.gi
O1 - Hosts: 66.180.173.39 www.google.com.gr
O1 - Hosts: 66.180.173.39 www.google.com.gt
O1 - Hosts: 66.180.173.39 www.google.com.hk
O1 - Hosts: 66.180.173.39 www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt
O1 - Hosts: 66.180.173.39 www.google.com.mx
O1 - Hosts: 66.180.173.39 www.google.com.my
O1 - Hosts: 66.180.173.39 www.google.com.na
O1 - Hosts: 66.180.173.39 www.google.com.nf
O1 - Hosts: 66.180.173.39 www.google.com.ni
O1 - Hosts: 66.180.173.39 www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa
O1 - Hosts: 66.180.173.39 www.google.com.pe
O1 - Hosts: 66.180.173.39 www.google.com.ph
O1 - Hosts: 66.180.173.39 www.google.com.pk
O1 - Hosts: 66.180.173.39 www.google.com.pr
O1 - Hosts: 66.180.173.39 www.google.com.py
O1 - Hosts: 66.180.173.39 www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg
O1 - Hosts: 66.180.173.39 www.google.com.sv
O1 - Hosts: 66.180.173.39 www.google.com.tr
O1 - Hosts: 66.180.173.39 www.google.com.tw
O1 - Hosts: 66.180.173.39 www.google.com.ua
O1 - Hosts: 66.180.173.39 www.google.com.uy
O1 - Hosts: 66.180.173.39 www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn
O1 - Hosts: 66.180.173.39 www.google.de
O1 - Hosts: 66.180.173.39 www.google.dj
O1 - Hosts: 66.180.173.39 www.google.dk
O1 - Hosts: 66.180.173.39 www.google.es
O1 - Hosts: 66.180.173.39 www.google.fi
O1 - Hosts: 66.180.173.39 www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr
O1 - Hosts: 66.180.173.39 www.google.gg
O1 - Hosts: 66.180.173.39 www.google.gl
O1 - Hosts: 66.180.173.39 www.google.gm
O1 - Hosts: 66.180.173.39 www.google.hn
O1 - Hosts: 66.180.173.39 www.google.ie
O1 - Hosts: 66.180.173.39 www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz
O1 - Hosts: 66.180.173.39 www.google.li
O1 - Hosts: 66.180.173.39 www.google.lt
O1 - Hosts: 66.180.173.39 www.google.lu
O1 - Hosts: 66.180.173.39 www.google.lv
O1 - Hosts: 66.180.173.39 www.google.mn
O1 - Hosts: 66.180.173.39 www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu
O1 - Hosts: 66.180.173.39 www.google.mw
O1 - Hosts: 66.180.173.39 www.google.nl
O1 - Hosts: 66.180.173.39 www.google.no
O1 - Hosts: 66.180.173.39 www.google.off.ai
O1 - Hosts: 66.180.173.39 www.google.pl
O1 - Hosts: 66.180.173.39 www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt
O1 - Hosts: 66.180.173.39 www.google.ro
O1 - Hosts: 66.180.173.39 www.google.ru
O1 - Hosts: 66.180.173.39 www.google.rw
O1 - Hosts: 66.180.173.39 www.google.se
O1 - Hosts: 66.180.173.39 www.google.sh
O1 - Hosts: 66.180.173.39 www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm
O1 - Hosts: 66.180.173.39 www.google.td
O1 - Hosts: 66.180.173.39 www.google.tm
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\system\SVCHOST.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O21 - SSODL: fALpymUAC - {FC17FDB6-56BD-571C-8A4D-8B4CC7A201AD} - C:\WINDOWS\System32\gwk.dll
  • 0

#4
g2i2r4
Posted 28 August 2005 - 04:23 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Once you double-click the metallica file, it opens up a notepad file when it's done.

Copy and paste me the text it shows.
  • 0

#5
elle0622
Posted 28 August 2005 - 06:44 AM

elle0622

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
************************************
**These are the hidden files found**
************************************
Volume in drive C is HP_PAVILION
Volume Serial Number is FC17-FDB5

Directory of C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp

08/11/2005 04:39 PM 49,664 gtuxsbmdqde.dll
08/11/2005 04:36 PM 49,664 hudydedghkp.dll
08/11/2005 04:30 PM 49,664 mncbqjkxyze.dll
02/19/2004 05:15 PM <DIR> Temporary Directory 1 for AdobePhotoshopCS.zip
09/28/2004 06:55 PM <DIR> Temporary Directory 1 for hijackthis.zip
08/28/2005 12:46 AM <DIR> Temporary Directory 1 for MADEbyOSC.zip
04/13/2005 02:37 PM <DIR> Temporary Directory 2 for AdobePhotoshopCS.zip
08/28/2005 08:42 AM <DIR> Temporary Directory 2 for MADEbyOSC.zip
08/11/2005 04:33 PM 49,664 wrspupwvche.dll
08/26/2005 01:52 PM 49,664 wtsvyzmpapu.dll
08/20/2005 11:11 PM 49,664 yjavcjsvudw.dll
6 File(s) 297,984 bytes
5 Dir(s) 76,540,325,888 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C is HP_PAVILION
Volume Serial Number is FC17-FDB5

Directory of C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp

08/06/2005 03:44 AM <DIR> Cookies
08/11/2005 04:39 PM 49,664 gtuxsbmdqde.dll
01/26/2004 04:25 PM <DIR> History
08/11/2005 04:36 PM 49,664 hudydedghkp.dll
08/11/2005 04:30 PM 49,664 mncbqjkxyze.dll
01/26/2004 04:25 PM <DIR> Temporary Internet Files
08/11/2005 04:33 PM 49,664 wrspupwvche.dll
08/26/2005 01:52 PM 49,664 wtsvyzmpapu.dll
08/20/2005 11:11 PM 49,664 yjavcjsvudw.dll
6 File(s) 297,984 bytes
3 Dir(s) 76,540,325,888 bytes free
  • 0

#6
g2i2r4
Posted 28 August 2005 - 01:10 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
If you had to reboot repeat this part when you are back online.

In that case, don't follow the advise.

Please disable SpySweeper, as it will stand in the way of us cleaning up:
To disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Exit Spysweeper.
***

*Click Here to download Killbox by Option^Explicit.
*Close all Internet Explorer windows
*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Standard File Kill and put a checkmark in the "End Explorer Shell While Killing File" box.
C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp\gtuxsbmdqde.dll
*Click the red-and-white "Delete File" button.
*Your taskbar will disappear for a short while
Repeat this for the following files:
C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp\hudydedghkp.dll
C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp\mncbqjkxyze.dll
C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp\wrspupwvche.dll
C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp\wtsvyzmpapu.dll
C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp\yjavcjsvudw.dll


*In the killbox program, select the Delete on Reboot option.

*Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\system32\bootpd.exe
C:\WINDOWS\system32\scrsvc.exe

*For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

After the reboot run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O21 - SSODL: fALpymUAC - {FC17FDB6-56BD-571C-8A4D-8B4CC7A201AD} - C:\WINDOWS\System32\gwk.dll


Close HiJackThis.

***

Download, install, and run CleanUp!

Download and unzip the hosts file from http://www.mvps.org/...p2002/hosts.htm to the folder that is right for your Windows version.
Acknowledge that you want to overwrite the hosts file that is present except if you were using the hosts file for something usefull before this happened.
This often is true in corporate networks, if you are not sure ask the System Administrator.

***

If you do not have the Google Toolbar installed, you can delete this folder:
c:\program files\google

***

To remove PremiumSearch StartPage from Add/Remove Software if you can use HijackThis.
Click Config > Misc Tools > Open Uninstall Manager > Select PremiumSearch Startpage and click Delete this entry.

***

Reboot again and post back a fresh HijackThis log.
Let's me know how things are now.
  • 0

#7
elle0622
Posted 30 August 2005 - 11:14 AM

elle0622

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you again, and I did all you said to do. Here's my newest HiJack This log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system\SVCHOST.EXE
C:\WINDOWS\system\SMSS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system\SVCHOST.EXE
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [svchost] C:\WINDOWS\system\SVCHOST.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O21 - SSODL: fALpymUAC - {FC17FDB6-56BD-571C-8A4D-8B4CC7A201AD} - C:\WINDOWS\System32\gwk.dll
  • 0

#8
g2i2r4
Posted 30 August 2005 - 01:43 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Exit Spysweeper.
***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\system\SVCHOST.EXE

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Reboot to safe mode.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [svchost] C:\WINDOWS\system\SVCHOST.EXE


O21 - SSODL: fALpymUAC - {FC17FDB6-56BD-571C-8A4D-8B4CC7A201AD} - C:\WINDOWS\System32\gwk.dll

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Still in safe mode.
Run a scan using Ewido. Save the log.

***

Reboot to normal mode. Post me a fresh HijackThis log and the Ewido log.
  • 0

#9
elle0622
Posted 02 September 2005 - 09:56 AM

elle0622

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Unfortunately, I cannot do all of that yet, because I've encountered another problem. I cannot log onto my account on Windows XP, because every time I do so it freezes. When I open the task manager to try to end some processes, the computer won't let me end any of them, and then moving the task manager shows duplicates of it on the screen, and I have to restart the computer again. Other accounts on the computer log in fine, but there are things I need to access on mine. Sorry for the diversion, and thank you for your patience and any help you can give.
  • 0

#10
g2i2r4
Posted 02 September 2005 - 02:37 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please use another account than, preferably one with full rights.
  • 0

#11
elle0622
Posted 02 September 2005 - 10:06 PM

elle0622

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
i can use another account, but is there anyway to make it not freeze when i sign into that account? there's a lot of important things i need to access in that particular one. thanks.
  • 0

#12
g2i2r4
Posted 03 September 2005 - 03:29 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
My guess is that if we can clean out some trouble, we may be able to try again.


EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 23 September 2005 - 04:50 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP