Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

z0c7hwz.exe


  • Please log in to reply

#1
twubear

twubear

    New Member

  • Member
  • Pip
  • 7 posts
I know I have some kind of spyware on my computer but I can't figure out what it is. I looked up that file name in the topic title and it yielded no results. And from time to time, there will be a process running in my task manager called 8km.exe. Still, no idea what it is. I've been trying to scan with AdAware, CWSShredder, Spy-Bot S&D, and nothing comes up. I've been getting pop-ups on sites I KNOW that don't have any pop-ups (eg. my own).

Anyway, here's my Hi-JackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 1:20:15 PM, on 10/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\World of Warcraft\BNUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\ypnq.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [z0c7hwz.exe] C:\WINDOWS\System32\z0c7hwz.exe /k
O4 - HKCU\..\RunOnce: [z0c7hwz.exe] C:\WINDOWS\System32\z0c7hwz.exe /k
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124813266875
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

please post a new Hijack log in this thread and I will help you

Thanks :)
  • 0

#3
twubear

twubear

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:58:58 PM, on 10/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\ypnq.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [z0c7hwz.exe] C:\WINDOWS\System32\z0c7hwz.exe /k
O4 - HKCU\..\RunOnce: [z0c7hwz.exe] C:\WINDOWS\System32\z0c7hwz.exe /k
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124813266875
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello and welcome to Geeks to Go:tazz:

I see you have been infected by malware. Lets get you fixed up.
Please follow the directions as closely as you can . Lets begin

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\ypnq.dll
O4 - HKLM\..\RunOnce: [z0c7hwz.exe] C:\WINDOWS\System32\z0c7hwz.exe /k
O4 - HKCU\..\RunOnce: [z0c7hwz.exe] C:\WINDOWS\System32\z0c7hwz.exe /k

Now close all windows other than HiJackThis, then click Fix Checked.

ReOpen HiJackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:

C:\WINDOWS\System32

And select the file

z0c7hwz.exe

Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes

After the reboot Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here. Also post a new Hijack log

Thanks :)
  • 0

#5
twubear

twubear

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I did everything up until the step that said to open the misc tools and delete on reboot step. The z0c7hwz.exe file did not exist in that folder. However, here is my new HiJack log.

Logfile of HijackThis v1.99.1
Scan saved at 10:54:11 AM, on 10/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124813266875
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Thats good :tazz:

Check this with hijack

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Now close all windows and click "fix checked"

Please run the panda scan and post the log so we can clean up the leftovers

Thanks


:)
  • 0

#7
twubear

twubear

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Wow, that ActiveScan thing took a while. Anyway, here is my HiJack log again and my ActiveScan log. Somewhat discouraging, lol. Thanks again for your help :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 3:29:49 PM, on 10/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124813266875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe


Incident Status Location

Spyware:spyware/dyfuca No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\cfout.txt
Adware:adware/alwaysupdatednewsNo disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\toc_0036.exe
Adware:adware/sqwire No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ts_8_new.exe
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\AUNPS2.dll
Adware:adware/elitebar No disinfected C:\WINDOWS\SYSTEM32\eliteicj32.exe
Adware:adware/searchforit No disinfected C:\WINDOWS\SYSTEM32\SYSsfitb.dll
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:adware/apropos No disinfected Windows Registry
Adware:Adware/Adtomi No disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051015-105010-636.dll
Virus:Trj/Delf.JS Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\atiupdate.exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\cfin[cfin]
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\cfout.txt
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF6GLF6.EXE
Adware:Adware/eZula No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF7GLF7.EXE
Adware:Adware/eZula No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF99GLF99.EXE
Adware:Adware/eZula No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF9GLF9.EXE
Adware:Adware/eZula No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLFAGLFA.EXE
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLFEGLFE.EXE
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.exe
Adware:Adware/AlwaysupdatednewsNo disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\toc_0036.exe
Adware:Adware/eZula No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ts_8_new.exe
Adware:Adware/Adtomi No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\y2t4.sys
Virus:Trj/PWSteal.H No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\29SV2H25\mm[1].jpg[muma.exe]
Virus:Trj/PWSteal.H Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8HEN05AR\[bleep]snow[1].exe
Virus:Trj/Downloader.DGM Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HFZB9T4E\sia[1].txt
Virus:Exploit/Codebase.AL No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OHAN0HUB\help[1].txt[#.htm]
Virus:Trj/PWSteal.H No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OHAN0HUB\help[1].txt[[bleep]snow.exe]
Virus:Trj/PWSteal.H Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SPSFKR87\muma[1].exe
Virus:Trj/PWSteal.H No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WX6ZWXMN\mm[1].jpg[muma.exe]
Virus:Trj/PWSteal.H Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WXYZKTI3\muma[1].exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Helper101.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\khhqhj.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\lomyjhme.exe
Adware:Adware/Favadd No disinfected C:\WINDOWS\sfita.exe
Virus:Trj/Clicker.DJ Disinfected C:\WINDOWS\system32\AUNPS2.dll
Adware:Adware/HuntBar No disinfected C:\WINDOWS\system32\Cache\EDow_AS2.exe
Virus:Trj/Delf.EB Disinfected C:\WINDOWS\system32\Cache\HelperInstall.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\Cache\InstallAPS.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\system32\Cache\optimize.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\system32\Cache\SSK3_B5 Advagency.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\Cache\ven_d1.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\Cache\ven_d2.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\eliteicj32.exe
Adware:Adware/Searchforit No disinfected C:\WINDOWS\system32\SYSsfitb.dll
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\y2t4.sys
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\ypnq.dll
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\z0c7hwz.exe
Adware:Adware/Adtomi No disinfected C:\WINDOWS\y2t4.sys
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
We're getting there

Click here to download Pocket Killbox by Option^Explicit

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there


C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\khhqhj.exe
C:\WINDOWS\lomyjhme.exe
C:\WINDOWS\sfita.exe
C:\WINDOWS\system32\Cache\EDow_AS2.exe
C:\WINDOWS\system32\Cache\InstallAPS.exe
C:\WINDOWS\system32\Cache\optimize.exe
C:\WINDOWS\system32\Cache\SSK3_B5 Advagency.exe
C:\WINDOWS\system32\Cache\ven_d1.exe
C:\WINDOWS\system32\Cache\ven_d2.exe
C:\WINDOWS\system32\eliteicj32.exe
C:\WINDOWS\system32\SYSsfitb.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\system32\y2t4.sys
C:\WINDOWS\system32\ypnq.dll
C:\WINDOWS\system32\z0c7hwz.exe
C:\WINDOWS\y2t4.sys



Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.

Lets clean your temp. files
  • Start >>> Run >>>> type in cleanmgr >>> OK
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.
Post a new hijack log and tell me how your system is running now.

Thanks :tazz:
  • 0

#9
twubear

twubear

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
When I try using KillBox, after pasting the directories you listed above and clicking the red circle with a white x, it verifies some regsitry thing and then I receive the following error:

"PendingFileRenameOperationsRegistry Data has been Removed by External Process!"

And then the computer does not restart.
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
OK thet generally means one of the files is gone. Paste them in one at a time and skip any you get the error for
  • 0

#11
twubear

twubear

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Put them all in one at a time and it appears that they're all non-existent, lol.
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
lol.....

Hmmm they should be there .We need to check I am sorry looks like you will have to go to safemode and get these

Please reboot into safe mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Show Hidden Files and Folders (if needed)
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please delete the files below

C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\khhqhj.exe
C:\WINDOWS\lomyjhme.exe
C:\WINDOWS\sfita.exe
C:\WINDOWS\system32\Cache\EDow_AS2.exe
C:\WINDOWS\system32\Cache\InstallAPS.exe
C:\WINDOWS\system32\Cache\optimize.exe
C:\WINDOWS\system32\Cache\SSK3_B5 Advagency.exe
C:\WINDOWS\system32\Cache\ven_d1.exe
C:\WINDOWS\system32\Cache\ven_d2.exe
C:\WINDOWS\system32\eliteicj32.exe
C:\WINDOWS\system32\SYSsfitb.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\system32\y2t4.sys
C:\WINDOWS\system32\ypnq.dll
C:\WINDOWS\system32\z0c7hwz.exe
C:\WINDOWS\y2t4.sys

Rehide files and folders

Reboot and tell me how it went
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP