Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

elitebwr32.exe problem and others [CLOSED]


  • This topic is locked This topic is locked

#1
Strey

Strey

    Member

  • Member
  • PipPip
  • 21 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:35:15 AM, on 8/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wupdmgr.exe
C:\WINDOWS\system32\wupdmgr.exe
C:\Downloads\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {485B619B-22DA-C1C4-864D-56E13F0369A7} - C:\WINDOWS\system32\khbptyea.dll (file missing)
O2 - BHO: (no name) - {555C812D-BCF4-859D-4BA5-6801475ED4A6} - C:\WINDOWS\system32\vkiodbbb.dll
O2 - BHO: (no name) - {95EB667E-E405-D2BA-AC35-B3A334A6D3B8} - C:\WINDOWS\system32\vjsmvoct.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitebwr32.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ecyafnft] C:\WINDOWS\system32\ecyafnft.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Help would be much obliged.

-Strey
  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello and welcome to GeeksToGo! My name is Kat, and I will be helping you get your computer fixed back up and on the go! You should either print these instructions, or save them to a Notepad file on your desktop. Part of the fix may require you to be in Safe Mode, and you will be unable to access the internet at that time!


Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Reboot into SAFE MODE . Do this by repeatedly tapping the F8 key as the computer begins to boot up. You will be taken to a screen where you can use your keyboard "arrow" keys to move the cursor and highlight "Safe Mode", then click the "enter" button.
  • Once in Safe Mode, you are going to run Ewido as follows. It is VERY IMPORTANT that you do not "multi task" while Ewido runs. Please do not open/run ANYTHING else during the scan...this includes all files, programs, folders, games, etc. ONLY have Ewido running.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.



Make a reply here with a copy of the report from Ewido, along with a fresh HijackThis log, and I'll help you finish cleaning up! :tazz:
  • 0

#3
Strey

Strey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:46:34 PM, on 8/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {485B619B-22DA-C1C4-864D-56E13F0369A7} - C:\WINDOWS\system32\khbptyea.dll (file missing)
O2 - BHO: (no name) - {555C812D-BCF4-859D-4BA5-6801475ED4A6} - C:\WINDOWS\system32\vkiodbbb.dll (file missing)
O2 - BHO: (no name) - {95EB667E-E405-D2BA-AC35-B3A334A6D3B8} - C:\WINDOWS\system32\vjsmvoct.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ecyafnft] C:\WINDOWS\system32\ecyafnft.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:44:09 PM, 8/29/2005
+ Report-Checksum: 84F1F576

+ Scan result:

C:\WINDOWS\system32\in10b6.dll -> Adware.eZula : Ignored
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic : Ignored
HKLM\SOFTWARE\Classes\CLSID\{0199DF25-9820-4bd5-9FEE-5A765AB4371E} -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -> Spyware.EliteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-527237240-1604221776-725345543-1003\Software\LQ -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-527237240-1604221776-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0199DF25-9820-4BD5-9FEE-5A765AB4371E} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-527237240-1604221776-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned with backup
HKU\S-1-5-21-527237240-1604221776-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][1].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david trinh@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\David Trinh\Cookies\david [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\cln133.tmp -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\common.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david trinh@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\Cookies\david [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\iDD.tmp -> TrojanDownloader.Totavel.a : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\TBPS.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\tb_setup.exe -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\temp.cab/IExploreSkins.exe -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\David Trinh\Local Settings\Temp\temp.cab/TBPS.exe -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\David Trinh\Local Settings\Temp\temp.cab/common.dll -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\David Trinh\Local Settings\Temp\temp.cab/toolbar.dll -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\David Trinh\Local Settings\Temp\temp.fr40F0 -> TrojanDownloader.Yimg.a : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\temp.frA3CC\MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\temp.frF644\Tvm.exe -> Spyware.TotalVelocity : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\toolbar.dll -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\~ZYB3.tmp -> Spyware.F1Organizer : Cleaned with backup
C:\Documents and Settings\David Trinh\Local Settings\Temp\~ZYDC.tmp -> Spyware.F1Organizer : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6J8LGNIP\c_2_0[1].txt -> TrojanProxy.Agent.l : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6J8LGNIP\g_1_0[1].txt -> Trojan.Favadd.n : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MTOV23YZ\d_19_0[1].txt -> Trojan.Golid.F : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Common Files\SearchUpgrader\SearchUpgrader.exe -> TrojanDownloader.Keenval.g : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\nt_hide63.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\xud_63.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\HLInstaller3.exe -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\MrDrej.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\WINDOWS\system32\d15.exe -> TrojanDownloader.Small.akj : Cleaned with backup
C:\WINDOWS\system32\drivers\gpddybxy.sys -> Trojan.Agent.aw : Cleaned with backup
C:\WINDOWS\system32\elitebwr32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\GoGo9CP.dll -> TrojanDropper.Small.so : Cleaned with backup
C:\WINDOWS\system32\HyperLinker3.exe -> Spyware.iSearch : Cleaned with backup
C:\WINDOWS\system32\ifbxywbv.exe -> TrojanProxy.Agent.l : Cleaned with backup
C:\WINDOWS\system32\LC.exe -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system32\lhxvrzaz.exe -> Trojan.Favadd.n : Cleaned with backup
C:\WINDOWS\system32\PreInstaller_p1.exe -> TrojanDownloader.Keenval.o : Cleaned with backup
C:\WINDOWS\system32\vjsmvoct.dll -> Trojan.Golid.F : Cleaned with backup
C:\WINDOWS\system32\vkiodbbb.dll -> TrojanDropper.Agent.fu : Cleaned with backup
C:\WINDOWS\system32\wcjdrdlb.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

So far so good, so what would be next?

-Strey

Edited by Strey, 29 August 2005 - 01:50 PM.

  • 0

#4
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Looking much better! :) Lets get to work, shall we? :tazz:

1. Download LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.

2. Please download CleanUp! and install it. DOn't use it yet, we will use it later! :)

3. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {485B619B-22DA-C1C4-864D-56E13F0369A7} - C:\WINDOWS\system32\khbptyea.dll (file missing)
O2 - BHO: (no name) - {555C812D-BCF4-859D-4BA5-6801475ED4A6} - C:\WINDOWS\system32\vkiodbbb.dll (file missing)
O2 - BHO: (no name) - {95EB667E-E405-D2BA-AC35-B3A334A6D3B8} - C:\WINDOWS\system32\vjsmvoct.dll (file missing)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ecyafnft] C:\WINDOWS\system32\ecyafnft.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Viewpoint
Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Viewpoint
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\system32\ecyafnft.exe


4. Open the LQFix folder on your desktop and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

5. Once the reboot is complete, open the CleanUp program, and then click the CleanUp button. Let it scan your system and remove all leftover nasties.

6. Make a reply here with a fresh HijackThis log, and let me know how things are running now! :)
  • 0

#5
Strey

Strey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:17:43 PM, on 8/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {485B619B-22DA-C1C4-864D-56E13F0369A7} - (no file)
O2 - BHO: (no name) - {555C812D-BCF4-859D-4BA5-6801475ED4A6} - (no file)
O2 - BHO: (no name) - {95EB667E-E405-D2BA-AC35-B3A334A6D3B8} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Everything is looking good so far, hopefully that was all of it. Thanks a bunch for the help.

-Strey
  • 0

#6
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
welcome back!! The instructions worked! :tazz: There are a couple of leftovers we need to get. We'll try to remove them using HJT. If that doesn't work, we'll run a small regfile to kill them. Both of these methods are very quick and easy for you to do :)

First..

Reboot into SAFE MODE again. Then AFTER you're in Safe Mode, run a HJT scan and place a check next to the following entries only:

O2 - BHO: (no name) - {485B619B-22DA-C1C4-864D-56E13F0369A7} - (no file)
02 BHO: (no name) - {555C812D-BCF4-859D-4BA5-6801475ED4A6} - (no file)
O2 - BHO: (no name) - {95EB667E-E405-D2BA-AC35-B3A334A6D3B8} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab


Be sure nothing else is open and click the "Fix Selected" button. Reboot normally, then post me a new HijackThis log here in a reply! :)
  • 0

#7
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP