Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan horse startpage 19.AO [CLOSED]

Started by Julie_Anne , Sep 19 2005 05:23 PM

  • This topic is locked This topic is locked

#1
Julie_Anne
Posted 19 September 2005 - 05:23 PM

Julie_Anne

    New Member

  • Member
  • Pip
  • 5 posts
I have tried all of the suggested steps in your article. Some worked, some I could not even get on the screen. I have saved the hijack log and will include it below. Spyware, viruses and this trojan horse are preventing me from starting w/ my start page and are often directing me to sites that I have not asked to go to. Please help. I am using Windows ME. I certainly appreciate your time and assistance.

Logfile of HijackThis v1.99.1
Scan saved at 7:21:51 PM, on 9/19/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\APIIB32.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
C:\WINDOWS\JAVATX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://windfind4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bellsouth,net:110
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {8EDF824F-428B-3210-54F5-E0B4F0653964} - C:\WINDOWS\SYSTEM\SDKJT.DLL
O2 - BHO: (no name) - {91624752-7C89-45AA-8662-65B4FC590C29} - C:\WINDOWS\SYSTEM\CGFF.DLL (file missing)
O2 - BHO: Class - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\CRSI.DLL
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\COMPAQ\Scroll Mouse\gnetmous.exe
O4 - HKLM\..\Run: [systemdll] install2.exe
O4 - HKLM\..\Run: [WhatsNewBot] TRPT.exe
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [JAVATX.EXE] C:\WINDOWS\JAVATX.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [APIIB32.EXE] C:\WINDOWS\SYSTEM\APIIB32.EXE /s
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [UserSp1] avpmondll.exe
O4 - HKCU\..\Run: [_ctcp] prgsys0984.exe
O4 - HKCU\..\Run: [Dest068] sysmon12.exe
O4 - HKCU\..\Run: [ulwftjm] c:\windows\nbydhcy.exe
O4 - HKCU\..\Run: [qcytpjo] c:\windows\nbydhcy.exe
O4 - HKCU\..\Run: [sefduwl] c:\windows\nbydhcy.exe
O4 - HKCU\..\Run: [xjoepsd] c:\windows\xcntcva.exe
O4 - HKCU\..\Run: [sqoxgjb] c:\windows\xcntcva.exe
O4 - HKCU\..\Run: [ycholkv] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [swkojvs] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [qxatwdf] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [qntdlet] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [oreivin] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [yqevvln] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [jttxkqj] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [wwltpij] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [jxsiksr] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [kupxbja] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [mjjediq] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [fmxqixa] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [qaarybf] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [oyuhvtu] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [tcglgvh] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [krdbuql] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [ikyoykg] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [ipditkn] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [jfpvsni] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [vbtiljh] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [lfiysuf] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [lnyxgvp] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [jejaruo] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [ajbwhib] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [ohljbhs] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [xxvjcof] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [arewycj] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [tyrtohw] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [iikkoal] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [mphvyei] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [hcdmiet] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [cyygyus] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [sgtoepe] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [bdrfupo] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [rypiwmw] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [sextsxv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [worlcud] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [qfrocui] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [jrdhhxt] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [nqcsmgw] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [nkkdnvv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [dixqfbo] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wyjpxva] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [jyepbho] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [topmund] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [xbsnmep] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [udydggu] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [xyfgjxe] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [stjqkrb] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [iiwscfy] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wegidya] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [cwpxhtl] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [hsjciwo] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [qivakhi] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [borptmk] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [bxrlhwe] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [sccqset] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [oxexxhd] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [bwkkqqk] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [bwehkip] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [avjvcto] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [soauimc] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [uooklee] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [mamvgax] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [iftbyqv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [vxmxfhk] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [amvrwlg] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [qnhraip] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [keerdif] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [rnfudxl] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [hsuavib] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [vlypetv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [fixhhod] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [vlpjrex] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wfitfpd] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [heyvsrd] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wkqvexq] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [ucmacup] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [xmfpuwr] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [yeeivyn] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wdjykqn] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [utiaotn] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [dijdicc] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [rtpwbsf] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [rsaamea] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wkwmvhp] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [sjljgie] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [utniyyv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [rnkbtho] c:\windows\fjlxfpk.exe
O4 - HKCU\..\Run: [lsouhkq] c:\windows\fjlxfpk.exe
O4 - HKCU\..\Run: [hlfjtci] c:\windows\fjlxfpk.exe
O4 - HKCU\..\Run: [vsoxlkr] c:\windows\fjlxfpk.exe
O4 - HKCU\..\Run: [dukopgh] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [qlojynd] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [eixinyw] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [wtpjdus] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [gujnnsl] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [acygjsb] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [ffvanxk] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [wxnevgq] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [ofthpji] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [xggxbdg] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [mcxumep] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [gqiuxod] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [jfdyeoj] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [esefrhn] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ayxdncv] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [dfcjwwi] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [iqlekkf] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [xgaiylc] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [dqcyxqx] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [sgtvilt] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [nwjwkqj] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [gjajqse] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [kukhbyn] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [txtalcd] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ioosbso] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [oopxiga] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [yqyhiqk] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [tgiisue] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [fvodaft] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [dahjhwo] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [qhnobls] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [xqentpf] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [sfljust] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [vdiilob] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [rlxhdyr] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ctvkiwm] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [mbyasko] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [fkxrlgi] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [wfpijfw] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [pcefgnp] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [vmguqvr] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [hywvgml] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [kowmcjs] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [kqruifb] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [fxddcnu] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [nlvxlfw] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [shqrfna] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [wqcuhkp] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [svmbdtc] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [wjywxfg] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [qlmedhc] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [shsvswq] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [gkvmgdp] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [qfbsadl] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [dgmqslo] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [akwscjt] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [jetmkku] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [kthuevi] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ingmhvr] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [bajnmkd] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [hugixya] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [yclwfjx] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [krryisq] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [jexwtvw] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [rtcujvr] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [gwngajf] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [reijsvd] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ppogjss] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [wxphoac] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [incendb] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [jfqhnts] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [mleviud] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ljsamjo] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [inntuvf] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [nqsqvvl] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [udlxpuy] c:\windows\qdpjche.exe
O4 - HKCU\..\Run: [eugjmsy] c:\windows\evpyafu.exe
O4 - HKCU\..\Run: [osekiwc] c:\windows\evpyafu.exe
O4 - HKCU\..\Run: [favfumv] c:\windows\evpyafu.exe
O4 - HKCU\..\Run: [gtlmlpl] c:\windows\evpyafu.exe
O4 - HKCU\..\Run: [xfnbvya] c:\windows\xtobqyj.exe
O4 - HKCU\..\Run: [pagqxaa] c:\windows\xtobqyj.exe
O4 - HKCU\..\Run: [pahrjgc] c:\windows\xtobqyj.exe
O4 - HKCU\..\Run: [yxlmjhq] c:\windows\xtobqyj.exe
O4 - HKCU\..\Run: [vrjvynw] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [iikebdd] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [gpqibcg] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [ajnyqiv] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [jagefsf] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [aaagjke] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [oeajsvt] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [tsvbeek] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [qilbype] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [teqxaxn] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [tbvrdtw] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [xxifjoi] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [gktsisu] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [vywyhai] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [tdffqwf] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [cemuaxg] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [jyggjjh] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [okgjccy] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [foyivhy] c:\windows\dxmsoqk.exe
O4 - HKCU\..\Run: [ssvqclb] c:\windows\vcwvanr.exe
O4 - HKCU\..\Run: [ooltdyf] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [nbbsbdu] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [mcoqidj] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [aoklgpt] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [sikypub] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [brqgful] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [bsrliuv] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [nbbavaa] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [dmopdxm] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [qjusnsi] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [fqvotdv] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [xvclnij] c:\windows\vkeiibm.exe
O4 - HKCU\..\Run: [xdpwnog] c:\windows\jaituju.exe
O4 - HKCU\..\Run: [qajkqdg] c:\windows\jaituju.exe
O4 - HKCU\..\Run: [utsdbct] c:\windows\jaituju.exe
O4 - HKCU\..\Run: [axhebyb] c:\windows\vkrcbmo.exe
O4 - HKCU\..\Run: [agedlif] c:\windows\vkrcbmo.exe
O4 - HKCU\..\Run: [djfaxix] c:\windows\vkrcbmo.exe
O4 - HKCU\..\Run: [ahbqnvt] c:\windows\owecmtg.exe
O4 - HKCU\..\Run: [jvksfvu] c:\windows\fcxyols.exe
O4 - HKCU\..\Run: [vxxdgxr] c:\windows\fcxyols.exe
O4 - HKCU\..\Run: [gukpflr] c:\windows\fcxyols.exe
O4 - HKCU\..\Run: [mrdctkg] c:\windows\fcxyols.exe
O4 - HKCU\..\Run: [mbsmxvg] c:\windows\ioffdpv.exe
O4 - HKCU\..\Run: [idgudus] c:\windows\oxifaqe.exe
O4 - HKCU\..\Run: [gnrwggt] c:\windows\oxifaqe.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...581/mcfscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.161.130,85.255.112.13

Again, I thank you for your attemtion.

Very Truly Yours,

Julie Anne Foster

P.S. Please let me know if I need to provide additional information.
  • 0

Advertisements

#2
greyknight17
Posted 19 September 2005 - 05:34 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Julie Anne and welcome to GTG.

Bad news. This one may be a really big pain to get rid of. I'll try the usual method we use to get rid of it first (which is more complicated). But if that doesn't work, then we'll use another approach.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Restart your computer to go back to normal mode. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Download and Save spywad9xremove to your computer from this link: http://www.thespykil...wad9xremove.exe

Double click on the spywad9xremove.exe file and it will automatically extract to c:\spywad9x where it needs to be to run.

It will automatically open the 98 remove spywad.vbs script for you ready to paste in the line mentioned below

If it doesn't open then go to c:\spywad9x and double click on the 98 remove spywad.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

It will open an Input box. Paste this line into the box

C:\WINDOWS\JAVATX.EXE

The script will kill that process, backup and then delete any matching files in Windows System and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad9x Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.


** Script Does not remove the orphaned run entries.

HijackThis should open. If not, open it now. Check and fix these in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\eoibz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://windfind4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8EDF824F-428B-3210-54F5-E0B4F0653964} - C:\WINDOWS\SYSTEM\SDKJT.DLL
O2 - BHO: (no name) - {91624752-7C89-45AA-8662-65B4FC590C29} - C:\WINDOWS\SYSTEM\CGFF.DLL (file missing)
O2 - BHO: Class - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\CRSI.DLL
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [systemdll] install2.exe
O4 - HKLM\..\Run: [WhatsNewBot] TRPT.exe
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [JAVATX.EXE] C:\WINDOWS\JAVATX.EXE
O4 - HKLM\..\RunServices: [APIIB32.EXE] C:\WINDOWS\SYSTEM\APIIB32.EXE /s
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [UserSp1] avpmondll.exe
O4 - HKCU\..\Run: [_ctcp] prgsys0984.exe
O4 - HKCU\..\Run: [Dest068] sysmon12.exe
O4 - HKCU\..\Run: [ulwftjm] c:\windows\nbydhcy.exe
O4 - HKCU\..\Run: [qcytpjo] c:\windows\nbydhcy.exe
O4 - HKCU\..\Run: [sefduwl] c:\windows\nbydhcy.exe
O4 - HKCU\..\Run: [xjoepsd] c:\windows\xcntcva.exe
O4 - HKCU\..\Run: [sqoxgjb] c:\windows\xcntcva.exe
O4 - HKCU\..\Run: [ycholkv] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [swkojvs] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [qxatwdf] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [qntdlet] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [oreivin] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [yqevvln] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [jttxkqj] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [wwltpij] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [jxsiksr] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [kupxbja] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [mjjediq] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [fmxqixa] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [qaarybf] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [oyuhvtu] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [tcglgvh] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [krdbuql] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [ikyoykg] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [ipditkn] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [jfpvsni] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [vbtiljh] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [lfiysuf] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [lnyxgvp] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [jejaruo] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [ajbwhib] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [ohljbhs] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [xxvjcof] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [arewycj] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [tyrtohw] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [iikkoal] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [mphvyei] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [hcdmiet] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [cyygyus] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [sgtoepe] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [bdrfupo] c:\windows\gamsaer.exe
O4 - HKCU\..\Run: [rypiwmw] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [sextsxv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [worlcud] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [qfrocui] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [jrdhhxt] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [nqcsmgw] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [nkkdnvv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [dixqfbo] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wyjpxva] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [jyepbho] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [topmund] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [xbsnmep] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [udydggu] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [xyfgjxe] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [stjqkrb] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [iiwscfy] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wegidya] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [cwpxhtl] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [hsjciwo] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [qivakhi] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [borptmk] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [bxrlhwe] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [sccqset] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [oxexxhd] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [bwkkqqk] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [bwehkip] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [avjvcto] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [soauimc] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [uooklee] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [mamvgax] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [iftbyqv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [vxmxfhk] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [amvrwlg] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [qnhraip] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [keerdif] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [rnfudxl] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [hsuavib] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [vlypetv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [fixhhod] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [vlpjrex] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wfitfpd] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [heyvsrd] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wkqvexq] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [ucmacup] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [xmfpuwr] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [yeeivyn] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wdjykqn] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [utiaotn] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [dijdicc] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [rtpwbsf] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [rsaamea] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [wkwmvhp] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [sjljgie] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [utniyyv] c:\windows\qcfirlk.exe
O4 - HKCU\..\Run: [rnkbtho] c:\windows\fjlxfpk.exe
O4 - HKCU\..\Run: [lsouhkq] c:\windows\fjlxfpk.exe
O4 - HKCU\..\Run: [hlfjtci] c:\windows\fjlxfpk.exe
O4 - HKCU\..\Run: [vsoxlkr] c:\windows\fjlxfpk.exe
O4 - HKCU\..\Run: [dukopgh] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [qlojynd] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [eixinyw] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [wtpjdus] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [gujnnsl] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [acygjsb] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [ffvanxk] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [wxnevgq] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [ofthpji] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [xggxbdg] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [mcxumep] c:\windows\qlrhdbd.exe
O4 - HKCU\..\Run: [gqiuxod] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [jfdyeoj] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [esefrhn] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ayxdncv] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [dfcjwwi] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [iqlekkf] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [xgaiylc] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [dqcyxqx] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [sgtvilt] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [nwjwkqj] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [gjajqse] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [kukhbyn] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [txtalcd] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ioosbso] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [oopxiga] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [yqyhiqk] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [tgiisue] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [fvodaft] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [dahjhwo] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [qhnobls] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [xqentpf] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [sfljust] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [vdiilob] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [rlxhdyr] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ctvkiwm] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [mbyasko] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [fkxrlgi] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [wfpijfw] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [pcefgnp] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [vmguqvr] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [hywvgml] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [kowmcjs] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [kqruifb] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [fxddcnu] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [nlvxlfw] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [shqrfna] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [wqcuhkp] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [svmbdtc] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [wjywxfg] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [qlmedhc] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [shsvswq] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [gkvmgdp] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [qfbsadl] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [dgmqslo] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [akwscjt] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [jetmkku] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [kthuevi] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ingmhvr] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [bajnmkd] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [hugixya] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [yclwfjx] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [krryisq] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [jexwtvw] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [rtcujvr] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [gwngajf] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [reijsvd] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ppogjss] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [wxphoac] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [incendb] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [jfqhnts] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [mleviud] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [ljsamjo] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [inntuvf] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [nqsqvvl] c:\windows\bjkbnfx.exe
O4 - HKCU\..\Run: [udlxpuy] c:\windows\qdpjche.exe
O4 - HKCU\..\Run: [eugjmsy] c:\windows\evpyafu.exe
O4 - HKCU\..\Run: [osekiwc] c:\windows\evpyafu.exe
O4 - HKCU\..\Run: [favfumv] c:\windows\evpyafu.exe
O4 - HKCU\..\Run: [gtlmlpl] c:\windows\evpyafu.exe
O4 - HKCU\..\Run: [xfnbvya] c:\windows\xtobqyj.exe
O4 - HKCU\..\Run: [pagqxaa] c:\windows\xtobqyj.exe
O4 - HKCU\..\Run: [pahrjgc] c:\windows\xtobqyj.exe
O4 - HKCU\..\Run: [yxlmjhq] c:\windows\xtobqyj.exe
O4 - HKCU\..\Run: [vrjvynw] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [iikebdd] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [gpqibcg] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [ajnyqiv] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [jagefsf] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [aaagjke] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [oeajsvt] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [tsvbeek] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [qilbype] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [teqxaxn] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [tbvrdtw] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [xxifjoi] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [gktsisu] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [vywyhai] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [tdffqwf] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [cemuaxg] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [jyggjjh] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [okgjccy] c:\windows\ghlxvoh.exe
O4 - HKCU\..\Run: [foyivhy] c:\windows\dxmsoqk.exe
O4 - HKCU\..\Run: [ssvqclb] c:\windows\vcwvanr.exe
O4 - HKCU\..\Run: [ooltdyf] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [nbbsbdu] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [mcoqidj] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [aoklgpt] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [sikypub] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [brqgful] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [bsrliuv] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [nbbavaa] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [dmopdxm] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [qjusnsi] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [fqvotdv] c:\windows\rtupaso.exe
O4 - HKCU\..\Run: [xvclnij] c:\windows\vkeiibm.exe
O4 - HKCU\..\Run: [xdpwnog] c:\windows\jaituju.exe
O4 - HKCU\..\Run: [qajkqdg] c:\windows\jaituju.exe
O4 - HKCU\..\Run: [utsdbct] c:\windows\jaituju.exe
O4 - HKCU\..\Run: [axhebyb] c:\windows\vkrcbmo.exe
O4 - HKCU\..\Run: [agedlif] c:\windows\vkrcbmo.exe
O4 - HKCU\..\Run: [djfaxix] c:\windows\vkrcbmo.exe
O4 - HKCU\..\Run: [ahbqnvt] c:\windows\owecmtg.exe
O4 - HKCU\..\Run: [jvksfvu] c:\windows\fcxyols.exe
O4 - HKCU\..\Run: [vxxdgxr] c:\windows\fcxyols.exe
O4 - HKCU\..\Run: [gukpflr] c:\windows\fcxyols.exe
O4 - HKCU\..\Run: [mrdctkg] c:\windows\fcxyols.exe
O4 - HKCU\..\Run: [mbsmxvg] c:\windows\ioffdpv.exe
O4 - HKCU\..\Run: [idgudus] c:\windows\oxifaqe.exe
O4 - HKCU\..\Run: [gnrwggt] c:\windows\oxifaqe.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Delete these files if found:

C:\WINDOWS\system\eoibz.dll
C:\WINDOWS\SYSTEM\SDKJT.DLL
C:\WINDOWS\SYSTEM\CGFF.DLL
C:\WINDOWS\CRSI.DLL
install2.exe
TRPT.exe
gxlib.exe
C:\WINDOWS\JAVATX.EXE
C:\WINDOWS\SYSTEM\APIIB32.EXE
C:\Program Files\WareOut\
avpmondll.exe
prgsys0984.exe
sysmon12.exe
c:\windows\nbydhcy.exe
c:\windows\xcntcva.exe
c:\windows\gamsaer.exe
c:\windows\qcfirlk.exe
c:\windows\qcfirlk.exe
c:\windows\fjlxfpk.exe
c:\windows\qlrhdbd.exe
c:\windows\bjkbnfx.exe
c:\windows\qdpjche.exe
c:\windows\evpyafu.exe
c:\windows\xtobqyj.exe
c:\windows\ghlxvoh.exe
c:\windows\dxmsoqk.exe
c:\windows\vcwvanr.exe
c:\windows\rtupaso.exe
c:\windows\vkeiibm.exe
c:\windows\jaituju.exe
c:\windows\vkrcbmo.exe
c:\windows\owecmtg.exe
c:\windows\fcxyols.exe
c:\windows\ioffdpv.exe
c:\windows\oxifaqe.exe

--------------------------


When finished, post the contents of Spywad.txt and a new Hijackthis log.

If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Folder after you have cleaned up all other User Profiles on that system.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named 98 registry only.vbs

Have each User sign in and run 98 registry only.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the C:\Spywad9x folder. Double click on 98 registry only.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run hijackthis and remove the entries as directed by your Forum Advisor. See earlier fix for HijackThis and see if any are still left behind.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then Click on the desktop. Press F5 once or twice to refresh.

You will need to do this step for every user account.

When this is all done, I want a new HijackThis log, the AboutBuster log and also the following log (run BOTH scans, but post only Panda log):

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.
  • 0

#3
Julie_Anne
Posted 20 September 2005 - 04:05 AM

Julie_Anne

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Dear GreyKnight:

Thank you for your prompt and helpful response. Please forgive me, but before beginning the repair steps that you suggested,I have some questions.

First, is this the way to get THIS message to you? I note that I see that replies will not be answered. Consequently, I will ask the same questions in a new post in this forum, as well as in an e-mail to you. I do not mean to overwhelm you or this site with duplicate postings, but I am unfamiliar with forums and thus will utilize every option I can see.

When you say to unzip AboutBuster after I have downloaded it, let me ask you "unzip with what program?" Do I need to download Winzip to do this first step before I start it? If yes, where can I download Winzip for free and will the unzipping process then either be self-explanatory or included w/ the Winzip program?

Next, before I start ANY of the processes that you describe, please reassure me that I will not lose any data or any programs on my computer by doing the procedure you suggest. I do not have a copy of the Windows ME operating system disk and I therefore do not want to lose anything critical in the process of cleaning up this Trojan horse.

You give a long list of "script" about which you say, "check and fix in Hijack This." What do you mean? Does that information appear on the Hijack This screen when I open it after I have followed the procedures that you recommend? I can 'edit' this script directly on the screen of Hijack This, then? Do the strings of command need to be in the order that you have listed them?

When you say, run Trend Micro anti-vrus after doing the rest, what if I already have AVG anti-virus installed? Is AVG okay to use instead? Does Trend Micro have a conflict w/ AVG such that I would have to uninstall AVG and install Trend Micro instead? (I know that Panda has a conflict w/ AVG).

I thank you for your time and effort.

If it is at all possible, my preference would be an answer via e-mail to edited out...
An answer in this forum is appreciated, too --- please tell me the easiest way to access this this thread (Post preview #363865 from 9/19/05).
Thank you so very much and please indicate to me how I might make a donation.

Very Truly Yours,

Julie Anne Foster
  • 0

#4
Julie_Anne
Posted 20 September 2005 - 08:28 AM

Julie_Anne

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sorry to keep bothering you, and I DO hope that this is the best way to get you continuing messages.

NOW, I have installed and unzipped the AboutBuster file. IF I first try to enter update, I get the error message "Run time error '5', invalid procedure call or argument" and THEN, I can't do anything but delete and download the file again.
I finally go t AboutBuster to run in Safe Mode, STILL without an update, but there, after it says that the scan is complete, it tells me "Run time error 339 component 'cmct132.ocx' or one of its dependancies not currently registered [-] a file is missing or invalid."

Any suggestions to get farther than this are greatly appreciated.
  • 0

#5
greyknight17
Posted 20 September 2005 - 05:46 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Julie Ann, no need to worry about my replies to you. I usually get back to all the user's I help within 24 hours. If I'm very busy, I would say 2 days at most...but usually same day reply :) Kat closed your duplicate post. Whenever you post here, there is no need to create a new topic or PM/email me. Each staff here will be subscribing to all the topics they reply to so they get back to the same user until the topic is resolved. So I'll be helping you till this problem is resolved :)

No problem. Since you are using Windows ME, it doesn't have a built in zip/unzip program like XP does. Yes, use Winzip then. They have a free trial (30 days), but you can still use it after 30 days (so keep using it if you wish...or buy if you really like it). But you can use the trial even after it expires without any problems (unzipping and zipping files). Just install it and once that's done, all you have to do is double click on the AboutBuster.zip file you downloaded. Then choose to use the Evalutation Period button (just read before you click, because Winzip changes the order of those buttons to get you to click on the wrong one :tazz: but nothing bad will happen, just a heads up). Once in Winzip you should see the AboutBuster files. Don't click on any of them. Just click on Extract and choose where you want to extract it. Then hit the button to extract it. Now you should see the files wherever you extracted/unzipped them to.

Just like whoever fixes your computer, we can't promise you that your data won't be lost, especially when there are trojans/viruses involved. You should always back up your data frequently (backup now if you didn't do so already). The fix I gave you should not cause any data loss, but like I said, anything can happen...so keep that in mind. Sometimes it's the trojan that caused the problem, other times it may be Windows corruption related. So you see what I mean. Backup your data if you can. If your data is that important, you should be backing up weekly or even daily to CDs/DVDs or another hard drive.

For HijackThis fix, just run HijackThis and hit the Scan button. Now you see the huge list I gave you? Just check off each of the boxes that correspond to those entries I listed above. My suggestion to you when you get to the bunch of random O4 entries is to use the spacebar and down arrow to do this. Just hit spacebar and down arrow, keep repeating this to check them faster. But make sure you are not checking a valid entry (one that I didn't list). As I said earlier, this is a more complicated method on your part (and mine to list them) but this is the fix that we use. If this one doesn't work, then I'll ask you to try another method which should be easier for you.

There is no problem running the online scans. You are not going to be installing their programs, but just running their scans online which is no conflict with AVG. Panda and TrendMicro (at least the links I gave you above) are just the online virus scans. So they are ok to run. I suggest disabling AVG (close it) during the scans. When those two scans are done, enable AVG again. Post the Panda log here if something was detected.

Please try not to post your email here. We have a lot of spambots leeching emails in the forum and you don't want them to be sending you junk emails :) I edited out your email address. Post here instead. It's really easy to use actually. All you have to do is go to this post now. Then go to the very bottom and you should see a button called OPTIONS. Click on it and a new section will show up on the bottom (scroll down a little). Click on the Subscribe to this forum link. Then choose how you want to receive notifications whenever I reply to your topic (so you know when I replied and can come to check up on it). Choose email notification if you wish so you can get an email once I reply with a link straight back to this topic. Another way you can check your post is to click on your username (you see your name as a link on the left of each post). Click on that and then click on the Member Posts link. Look for your recent post and you'll find it.

Glad you got the zip part figured out :ph34r: For that error, download this filea nd run it. It should install that OCX file for you.

Post back here from now on until it's resolved. I'll be here :ph34r:
  • 0

#6
Julie_Anne
Posted 20 September 2005 - 07:55 PM

Julie_Anne

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Dear GreyKnight,

I downloaded and unzipped the missing files. I continue to get the same error messages under the same circumstances. Sorry, I am an idiot.
Further, I see no options in AboutBuster to "run" "close" "okay" or "save" to a log file in this program, as you describe.
Please be patient and terribly explicit in ypoour instructions to me.

Thank you,

Julie Anne
  • 0

#7
greyknight17
Posted 21 September 2005 - 04:26 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, download this package and then run it. Restart and see if that will run AboutBuster in Safe Mode properly.

If not, download this package instead and install it. Try running AboutBuster in Safe Mode now.

Are you sure it's spelled as cmct132.ocx? Make sure it's spelled correctly. If that's the correct spelling, then try this. Go to Start->Run and type in:

regsvr32 cmct132.ocx

and hit OK. Did that register the file successfully?

Are you able to run AboutBuster successfully though? If not, it's probably because you are missing a file. Hopefully one of the packages I asked you to download above will work...or try registering that file. The log will be in the same folder as the AboutBuster program you unzipped to.
  • 0

#8
greyknight17
Posted 06 October 2005 - 08:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP