Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't rid my computer of Trojan Horse Pakes [CLOSED]


  • This topic is locked This topic is locked

#1
baronnep

baronnep

    New Member

  • Member
  • Pip
  • 4 posts
Ran your Start Here steps, this helped a bit, but trojan still popping up. Also had a rundll come up at starup C:\windows\cfgmgr52.dll. This also was listed in startup, I unchecked but after reboot was checked again. Here's my log file:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:24 AM, on 10/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPHMON05.EXE
C:\WINDOWS\SYSTEM\HPZTSB09.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\RLVKNLG.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\AT&T GLOBAL NETWORK CLIENT\NETCLIENT.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/w...yeBayAllSelling
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4D89FD2D-0ABB-BF3C-30E7-1ED12E920BF3} - C:\WINDOWS\Nymspnea.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\SYSTEM\HSIJYGK.DLL (file missing)
O2 - BHO: SDWin32 Class - {B2BB2960-CD23-11D9-A6E3-0080AD74888E} - C:\WINDOWS\SYSTEM\YZVTY.DLL (file missing)
O2 - BHO: (no name) - {5AFE26E4-85E8-155F-2095-56BBE8B72F2C} - C:\WINDOWS\Nymspnea.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search - {5A64AD8A-2A68-957A-1325-C3C464194F98} - C:\WINDOWS\Nymspnea.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [ka7t5vbb] C:\WINDOWS\SYSTEM\ka7t5vbb.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\RLVKNLG.EXE -boot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Scanner Detector.lnk = C:\Program Files\ScanSuite\SDetect.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart...oad/XUpload.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {8AB662FD-CFE0-4D68-96B8-128AFA3C68A6} (CPrtTmpControl Object) - http://eshare.hpphot...nload/setup.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://www.samsphoto...ploadClient.cab
  • 0

Advertisements


#2
lovethepirk

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
Welcome to G2G forums. Sorry it has taken a while to get back to you but we are very busy currently.

Thanks for being so patient.

You need to save this response as a notepade or word document on your desktop for use later when we go into safe mode(no internet access).
I also suggest you print out this response for easy use as well :tazz:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Please download QooFix9x and save it to your desktop. Do NOT run it yet.

Scan with HijackThis again and place a check next to these items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4D89FD2D-0ABB-BF3C-30E7-1ED12E920BF3} - C:\WINDOWS\Nymspnea.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\SYSTEM\HSIJYGK.DLL (file missing)
O2 - BHO: SDWin32 Class - {B2BB2960-CD23-11D9-A6E3-0080AD74888E} - C:\WINDOWS\SYSTEM\YZVTY.DLL (file missing)
O2 - BHO: (no name) - {5AFE26E4-85E8-155F-2095-56BBE8B72F2C} - C:\WINDOWS\Nymspnea.dll

O3 - Toolbar: Search - {5A64AD8A-2A68-957A-1325-C3C464194F98} - C:\WINDOWS\Nymspnea.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)

O4 - HKLM\..\Run: [ka7t5vbb] C:\WINDOWS\SYSTEM\ka7t5vbb.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\RLVKNLG.EXE -boot
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB

Close all other windows except HijackThis, and hit Fix Checked

To make sure you can see all hidden files, please follow the directions here

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Navigate to the following files/folders and delete these:
C:\WINDOWS\SYSTEM\ka7t5vbb.exe
C:\WINDOWS\CFGMGR52.DLL
C:\WINDOWS\RLVKNLG.EXE
C:\Program Files\Common Files\mc-58-12-0000079-d.exe

Now please double-click QooFix9x.exe(you downloaded it earlier) and unzip it to the desktop. Open the QooFix9x folder on your desktop and run RunThis.bat. If you get a warning about running MS-DOS programs in Safe Mode, please just click OK to continue. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the QooFix9x folder.

Thanks,

Lovethepirk
  • 0

#3
baronnep

baronnep

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Welcome to G2G forums. Sorry it has taken a while to get back to you but we are very busy currently.

Thanks for being so patient.

You need to save this response as a notepade or word document on your desktop for use later when we go into safe mode(no internet access).
I also suggest you print out this response for easy use as well :tazz:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Please download QooFix9x and save it to your desktop. Do NOT run it yet.

Scan with HijackThis again and place a check next to these items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4D89FD2D-0ABB-BF3C-30E7-1ED12E920BF3} - C:\WINDOWS\Nymspnea.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\SYSTEM\HSIJYGK.DLL (file missing)
O2 - BHO: SDWin32 Class - {B2BB2960-CD23-11D9-A6E3-0080AD74888E} - C:\WINDOWS\SYSTEM\YZVTY.DLL (file missing)
O2 - BHO: (no name) - {5AFE26E4-85E8-155F-2095-56BBE8B72F2C} - C:\WINDOWS\Nymspnea.dll

O3 - Toolbar: Search - {5A64AD8A-2A68-957A-1325-C3C464194F98} - C:\WINDOWS\Nymspnea.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)

O4 - HKLM\..\Run: [ka7t5vbb] C:\WINDOWS\SYSTEM\ka7t5vbb.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\RLVKNLG.EXE -boot
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB

Close all other windows except HijackThis, and hit Fix Checked

To make sure you can see all hidden files, please follow the directions here

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Navigate to the following files/folders and delete these:
C:\WINDOWS\SYSTEM\ka7t5vbb.exe
C:\WINDOWS\CFGMGR52.DLL
C:\WINDOWS\RLVKNLG.EXE
C:\Program Files\Common Files\mc-58-12-0000079-d.exe

Now please double-click QooFix9x.exe(you downloaded it earlier) and unzip it to the desktop. Open the QooFix9x folder on your desktop and run RunThis.bat. If you get a warning about running MS-DOS programs in Safe Mode, please just click OK to continue. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the QooFix9x folder.

Thanks,

Lovethepirk


  • 0

#4
baronnep

baronnep

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Welcome to G2G forums. Sorry it has taken a while to get back to you but we are very busy currently.

Thanks for being so patient.

You need to save this response as a notepade or word document on your desktop for use later when we go into safe mode(no internet access).
I also suggest you print out this response for easy use as well :tazz:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Please download QooFix9x and save it to your desktop. Do NOT run it yet.

Scan with HijackThis again and place a check next to these items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4D89FD2D-0ABB-BF3C-30E7-1ED12E920BF3} - C:\WINDOWS\Nymspnea.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\SYSTEM\HSIJYGK.DLL (file missing)
O2 - BHO: SDWin32 Class - {B2BB2960-CD23-11D9-A6E3-0080AD74888E} - C:\WINDOWS\SYSTEM\YZVTY.DLL (file missing)
O2 - BHO: (no name) - {5AFE26E4-85E8-155F-2095-56BBE8B72F2C} - C:\WINDOWS\Nymspnea.dll

O3 - Toolbar: Search - {5A64AD8A-2A68-957A-1325-C3C464194F98} - C:\WINDOWS\Nymspnea.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)

O4 - HKLM\..\Run: [ka7t5vbb] C:\WINDOWS\SYSTEM\ka7t5vbb.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\RLVKNLG.EXE -boot
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB

Close all other windows except HijackThis, and hit Fix Checked

To make sure you can see all hidden files, please follow the directions here

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Navigate to the following files/folders and delete these:
C:\WINDOWS\SYSTEM\ka7t5vbb.exe
C:\WINDOWS\CFGMGR52.DLL
C:\WINDOWS\RLVKNLG.EXE
C:\Program Files\Common Files\mc-58-12-0000079-d.exe

Now please double-click QooFix9x.exe(you downloaded it earlier) and unzip it to the desktop. Open the QooFix9x folder on your desktop and run RunThis.bat. If you get a warning about running MS-DOS programs in Safe Mode, please just click OK to continue. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the QooFix9x folder.

Thanks,

Lovethepirk

Attached Files

  • Attached File  log.txt   430bytes   114 downloads

  • 0

#5
lovethepirk

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
Baronnep,

Could you please post a new HJT log for us to look at.

Please copy and paste it into this thread instead of attaching it :tazz:

Thanks,

Lovethepirk
  • 0

#6
lovethepirk

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP