[recyc]

I have a persistant Aurora or trojan infection that among other things has disrupted my Symantec Antivirus and my ability to access Microsoft Updates. Any help would be much appreciated.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:41:21 AM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\vudpuyo\jlvlae.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\bwjieei.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\blmogbr.EXE
C:\WINDOWS\System32\gkvj\gqoqnmj.exe
C:\WINDOWS\System32\jbls\racrf.exe
C:\WINDOWS\System32\emrxjg\ehibrw.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\egspmi.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FCEngine\FCEngine.exe
C:\WINDOWS\System32\m?dtc.exe
C:\Program Files\ttrd\arse.exe
C:\DOCUME~1\yreyes\LOCALS~1\Temp\InSearch.exe
C:\WINDOWS\System32\llwt\exllehp.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
F2 - REG:system.ini: Shell=Explorer.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshuziv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [blmogbr] C:\WINDOWS\blmogbr.EXE
O4 - HKLM\..\Run: [jlvlae] C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O4 - HKLM\..\Run: [gqoqnmj] C:\WINDOWS\System32\gkvj\gqoqnmj.exe
O4 - HKLM\..\Run: [exllehp] C:\WINDOWS\System32\llwt\exllehp.exe
O4 - HKLM\..\Run: [racrf] C:\WINDOWS\System32\jbls\racrf.exe
O4 - HKLM\..\Run: [ehibrw] C:\WINDOWS\System32\emrxjg\ehibrw.exe
O4 - HKLM\..\Run: [fdkkyd] C:\WINDOWS\System32\ghxhcu\fdkkyd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [jusvgz] C:\WINDOWS\system32\egspmi.exe r
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"
O4 - HKCU\..\Run: [Degeuavj] C:\WINDOWS\System32\m?dtc.exe
O4 - HKCU\..\Run: [Ehwe] C:\Program Files\ttrd\arse.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\Software\..\Telephony: DomainName = Cleanscapedom.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: jlvlaevudpuyo - Unknown owner - C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bwjieei.exe

[Advertisements]

Hi,

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
• If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
• When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

dk

[Danny]

Hi,

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
• If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
• When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

dk

[recyc]

I ran the Ad-aware with the plug-in, and the Ewido scan (the initial hijackthis log was actually post- Ad-aware, VX2 plug-in, Ewido, Trojan hunter, Clean Up, CW Shredder, and Spybot). Here are both logs. Thanks for your help:

Logfile of HijackThis v1.99.1
Scan saved at 3:31:34 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\vudpuyo\jlvlae.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\bwjieei.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\blmogbr.EXE
C:\WINDOWS\System32\gkvj\gqoqnmj.exe
C:\WINDOWS\System32\llwt\exllehp.exe
C:\WINDOWS\System32\jbls\racrf.exe
C:\WINDOWS\System32\emrxjg\ehibrw.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FCEngine\FCEngine.exe
C:\WINDOWS\System32\m?dtc.exe
C:\Program Files\ttrd\arse.exe
C:\DOCUME~1\yreyes\LOCALS~1\Temp\InSearch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshuziv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [blmogbr] C:\WINDOWS\blmogbr.EXE
O4 - HKLM\..\Run: [jlvlae] C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O4 - HKLM\..\Run: [gqoqnmj] C:\WINDOWS\System32\gkvj\gqoqnmj.exe
O4 - HKLM\..\Run: [exllehp] C:\WINDOWS\System32\llwt\exllehp.exe
O4 - HKLM\..\Run: [racrf] C:\WINDOWS\System32\jbls\racrf.exe
O4 - HKLM\..\Run: [ehibrw] C:\WINDOWS\System32\emrxjg\ehibrw.exe
O4 - HKLM\..\Run: [fdkkyd] C:\WINDOWS\System32\ghxhcu\fdkkyd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [dwrg] C:\WINDOWS\system32\eywd\dwrg.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"
O4 - HKCU\..\Run: [Degeuavj] C:\WINDOWS\System32\m?dtc.exe
O4 - HKCU\..\Run: [Ehwe] C:\Program Files\ttrd\arse.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\Software\..\Telephony: DomainName = Cleanscapedom.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dwrgeywd - Unknown owner - C:\WINDOWS\system32\eywd\dwrg.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: jlvlaevudpuyo - Unknown owner - C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bwjieei.exe




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:24:40 PM, 9/22/2005
+ Report-Checksum: 1D8CCC50

+ Scan result:

C:\WINDOWS\system32\__delete_on_reboot__aunps2.dll.tcf -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__pkshuziv.dll.tcf -> Spyware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\yreyes\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\yreyes\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\yreyes\Cookies\yreyes@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100801.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100803.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100805.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100806.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100807.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100810.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100811.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100812.exe -> TrojanDownloader.VB.jl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100813.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100814.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100815.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100816.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100819.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100820.dll -> TrojanDownloader.Small : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100821.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100822.exe -> Backdoor.Lamebot.c : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100823.dll -> Trojan.Agent.ff : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100825.exe -> TrojanDownloader.VB.hw : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100826.exe -> Trojan.EliteBar.c : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100827.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100828.dll -> Spyware.CASClient : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100830.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100831.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100832.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100802.exe.tcf -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100804.exe.tcf -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100808.exe.tcf -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100809.exe.tcf -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100817.exe.tcf -> Spyware.ISearch : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100818.exe.tcf -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100824.exe.tcf -> Spyware.ISearch : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100829.dll.tcf -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100854.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100855.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100869.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100870.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100872.exe -> Spyware.MediaMotor : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100880.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100881.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP593\A0100885.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP592\A0093593.exe -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP592\A0094582.exe -> TrojanDownloader.Agent.tv : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP592\A0094697.exe -> Trojan.Stervis.h : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP592\A0094699.dll -> Trojan.Agent.iw : Cleaned with backup
C:\System Volume Information\_restore{D7CA25F7-6E23-478F-9726-A082913AE9E0}\RP591\A0092980.exe -> Spyware.CASClient : Cleaned with backup


::Report End

[Danny]

Hi,

We've gotten rid of nail, now to the other ones.

STEP 1
Open HijackThis, click the "Scan" button, and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshuziv.dll (file missing)
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [blmogbr] C:\WINDOWS\blmogbr.EXE
O4 - HKLM\..\Run: [jlvlae] C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O4 - HKLM\..\Run: [gqoqnmj] C:\WINDOWS\System32\gkvj\gqoqnmj.exe
O4 - HKLM\..\Run: [exllehp] C:\WINDOWS\System32\llwt\exllehp.exe
O4 - HKLM\..\Run: [racrf] C:\WINDOWS\System32\jbls\racrf.exe
O4 - HKLM\..\Run: [ehibrw] C:\WINDOWS\System32\emrxjg\ehibrw.exe
O4 - HKLM\..\Run: [fdkkyd] C:\WINDOWS\System32\ghxhcu\fdkkyd.exe
O4 - HKLM\..\Run: [dwrg] C:\WINDOWS\system32\eywd\dwrg.exe
O4 - HKCU\..\Run: [Degeuavj] C:\WINDOWS\System32\m?dtc.exe
O4 - HKCU\..\Run: [Ehwe] C:\Program Files\ttrd\arse.exe
O23 - Service: dwrgeywd - Unknown owner - C:\WINDOWS\system32\eywd\dwrg.exe
O23 - Service: jlvlaevudpuyo - Unknown owner - C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bwjieei.exe

Close all windows except HijackThis and click the "Fix Checked" button.

STEP 2
Locate the following files/folders, and delete them:

C:\WINDOWS\System32\opr.exe
C:\WINDOWS\blmogbr.EXE
C:\WINDOWS\System32\vudpuyo
C:\WINDOWS\System32\gkvj
C:\WINDOWS\System32\llwt
C:\WINDOWS\System32\jbls
C:\WINDOWS\System32\emrxjg
C:\WINDOWS\System32\ghxhcu
C:\WINDOWS\system32\eywd
C:\Program Files\ttrd
C:\WINDOWS\bwjieei.exe

STEP 3
Now,Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\m?dtc.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.

STEP 4
Next, Go to Start->Run and type:

services.msc

Hit Ok

Scroll down and find the below service:

dwrgeywd

When you find it, double-click on it. In the next window that opens, under the general tab, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service". A window will pop up. Enter the below item into that field (copy and paste):

dwrgeywd

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click NO.

Repeat Step 4 for the following items:

jlvlaevudpuyo
Windows Overlay Components

When you complete the last one, select YES when asked to reboot.

STEP 5

Do you know this website: http://companyweb/
Did you set that as your homepage???

Post a new HijackThis log, as well as the results from [b]findfile.bat.

dk

[recyc]

Thanks very much for your help. Here is the findfile.bat result

Volume in drive C has no label.
Volume Serial Number is 88EA-3BCF

Directory of C:\WINDOWS\system32

08/04/2004 12:56 AM 6,144 msdtc.exe
09/08/2005 09:43 AM 401,408 m?dtc.exe
2 File(s) 407,552 bytes

Directory of C:\Documents and Settings\yreyes\Desktop


and here is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:49 AM, on 9/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FCEngine\FCEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [jlvlae] C:\WINDOWS\System32\vudpuyo\jlvlae.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\Software\..\Telephony: DomainName = Cleanscapedom.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Cleanscapedom.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CEEC009-DF8E-404F-9DC5-DCB38801EC2B}: NameServer = 192.168.0.3
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[recyc]

Oh, and I forgot to answer, companyweb is the home page that was set by the network tech.

[Danny]

Hi,

Press Start --> Search. Search for msdtc.exe.

Right click each file and select Properties.

Look for a file that has:

Size: 401 KB

Date Created: 09/08/2005

(This file may not have an icon.)

Once you find it with those properties(<<-- THIS IS VERY IMPORTANT!!!), delete it.

Now, locate the following folder, and delete it:

C:\WINDOWS\System32\vudpuyo

Finally, open HijackThis, and click the "Open the Misc. Tools Section". When there, click "Generate Startup Log".

Now, run with HijackThis, and post a new log as well as the Startup Log.

dk