Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Backdoor.Nibu Problems (Win Xp Home) [CLOSED]


  • This topic is locked This topic is locked

#1
AlphaBITS

AlphaBITS

    New Member

  • Member
  • Pip
  • 4 posts
This one's really crippling my customer's PC. Symantec Anti-Virus pops up a message about it at almost every mouse click. I've spent all day and used Adaware, Spybot, Pest Patrol & Symantec AV and have removed nearly 1,000 (NO KIDDING!) infected or malicious files.

I tried removing the backdoor.nibu using instructions from Symantec AV's site, but to no avail. Any help with this HiJackThis log would be much appreciated.

Thx,
Paul

Attached Files


  • 0

Advertisements


#2
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hi AlphaBITS and welcome to Geeks to Go :) .

My name is infaddict and I will be helping you with your problem. Please can you post back with a fresh HijackThis log as it is a while since your last log - the infections may have changed.

Note, please simply paste in your log in your reply, do not attach files.

Thanks :tazz:

Edited by infaddict, 18 November 2005 - 09:17 AM.

  • 0

#3
AlphaBITS

AlphaBITS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
infaddict, thank you. Here is the same log pasted directly instead of attached. It will not have changed, as the machine was disconnected and shut down just after generating the log.

Thanks again, look forward to hearing from you.
Paul


Logfile of HijackThis v1.99.1
Scan saved at 6:04:56 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winldra.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\start.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=enc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adshttp.com/s...L?zone=enternet
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Bryan\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Jch] C:\WINDOWS\Erk.exe
O4 - HKLM\..\Run: [Mgm] C:\WINDOWS\Hdp.exe
O4 - HKLM\..\Run: [Hhs] C:\WINDOWS\Ftj.exe
O4 - HKLM\..\Run: [Vng] C:\WINDOWS\Sac.exe
O4 - HKLM\..\Run: [Seb] C:\WINDOWS\System32\Alp.exe
O4 - HKLM\..\Run: [Ois] C:\WINDOWS\System32\Asj.exe
O4 - HKLM\..\Run: [Caj] C:\WINDOWS\System32\Dke.exe
O4 - HKLM\..\Run: [Pnb] C:\WINDOWS\Kfk.exe
O4 - HKLM\..\Run: [Ngu] C:\WINDOWS\System32\Ftd.exe
O4 - HKLM\..\Run: [Tck] C:\WINDOWS\System32\Ivo.exe
O4 - HKLM\..\Run: [Ung] C:\WINDOWS\Ern.exe
O4 - HKLM\..\Run: [Sgc] C:\WINDOWS\Vgq.exe
O4 - HKLM\..\Run: [Ses] C:\WINDOWS\System32\Cll.exe
O4 - HKLM\..\Run: [Hlp] C:\WINDOWS\System32\Bto.exe
O4 - HKLM\..\Run: [Qks] C:\WINDOWS\Ptr.exe
O4 - HKLM\..\Run: [Mkd] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Nfq] C:\WINDOWS\Bnt.exe
O4 - HKLM\..\Run: [Cvn] C:\WINDOWS\System32\Btp.exe
O4 - HKLM\..\Run: [Fmk] C:\WINDOWS\Vkq.exe
O4 - HKLM\..\Run: [Nks] C:\WINDOWS\Lbu.exe
O4 - HKLM\..\Run: [Edl] C:\WINDOWS\System32\Ftv.exe
O4 - HKLM\..\Run: [Rsa] C:\WINDOWS\System32\Abk.exe
O4 - HKLM\..\Run: [Diq] C:\WINDOWS\Thi.exe
O4 - HKLM\..\Run: [Tmf] C:\WINDOWS\System32\Vge.exe
O4 - HKLM\..\Run: [Bvs] C:\WINDOWS\Lpe.exe
O4 - HKLM\..\Run: [Lem] C:\WINDOWS\Gnk.exe
O4 - HKLM\..\Run: [Jdt] C:\WINDOWS\Ctf.exe
O4 - HKLM\..\Run: [Dkf] C:\WINDOWS\System32\Qqb.exe
O4 - HKLM\..\Run: [Bfd] C:\WINDOWS\System32\Nmf.exe
O4 - HKLM\..\Run: [Otj] C:\WINDOWS\System32\Aog.exe
O4 - HKLM\..\Run: [Eph] C:\WINDOWS\Qio.exe
O4 - HKLM\..\Run: [Rco] C:\WINDOWS\System32\Fbn.exe
O4 - HKLM\..\Run: [Egp] C:\WINDOWS\Mml.exe
O4 - HKLM\..\Run: [Kvl] C:\WINDOWS\System32\Fgo.exe
O4 - HKLM\..\Run: [Ajh] C:\WINDOWS\Bcc.exe
O4 - HKLM\..\Run: [Bra] C:\WINDOWS\System32\Ldi.exe
O4 - HKLM\..\Run: [Tkc] C:\WINDOWS\Lle.exe
O4 - HKLM\..\Run: [Tei] C:\WINDOWS\System32\Bef.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Egh.exe
O4 - HKLM\..\Run: [Elf] C:\WINDOWS\Rpc.exe
O4 - HKLM\..\Run: [Rla] C:\WINDOWS\Uid.exe
O4 - HKLM\..\Run: [Lqb] C:\WINDOWS\Ejr.exe
O4 - HKLM\..\Run: [Vef] C:\WINDOWS\Qql.exe
O4 - HKLM\..\Run: [Cer] C:\WINDOWS\System32\Cjo.exe
O4 - HKLM\..\Run: [Fdj] C:\WINDOWS\Hlg.exe
O4 - HKLM\..\Run: [Gef] C:\WINDOWS\System32\Laa.exe
O4 - HKLM\..\Run: [Ujg] C:\WINDOWS\Rjt.exe
O4 - HKLM\..\Run: [Til] C:\WINDOWS\Tjm.exe
O4 - HKLM\..\Run: [Drp] C:\WINDOWS\Bbd.exe
O4 - HKLM\..\Run: [Efa] C:\WINDOWS\Pmo.exe
O4 - HKLM\..\Run: [Gjb] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Osu] C:\WINDOWS\Euj.exe
O4 - HKLM\..\Run: [Fhs] C:\WINDOWS\System32\Dgi.exe
O4 - HKLM\..\Run: [Ltb] C:\WINDOWS\Omd.exe
O4 - HKLM\..\Run: [Ifn] C:\WINDOWS\Rld.exe
O4 - HKLM\..\Run: [Amd] C:\WINDOWS\System32\Jrq.exe
O4 - HKLM\..\Run: [Jtp] C:\WINDOWS\System32\Mnq.exe
O4 - HKLM\..\Run: [Spa] C:\WINDOWS\System32\Jls.exe
O4 - HKLM\..\Run: [Oos] C:\WINDOWS\System32\Brs.exe
O4 - HKLM\..\Run: [Qtp] C:\WINDOWS\Sca.exe
O4 - HKLM\..\Run: [Ora] C:\WINDOWS\Peq.exe
O4 - HKLM\..\Run: [Hdo] C:\WINDOWS\Ivl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bfb] C:\WINDOWS\System32\Kba.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Foe.exe
O4 - HKLM\..\Run: [Fih] C:\WINDOWS\System32\Lgf.exe
O4 - HKLM\..\Run: [Dmi] C:\WINDOWS\System32\Glu.exe
O4 - HKLM\..\Run: [Oht] C:\WINDOWS\System32\Ksj.exe
O4 - HKLM\..\Run: [Qsb] C:\WINDOWS\System32\Tja.exe
O4 - HKLM\..\Run: [Vjk] C:\WINDOWS\Lsi.exe
O4 - HKLM\..\Run: [Pkn] C:\WINDOWS\System32\Mdj.exe
O4 - HKLM\..\Run: [Dnu] C:\WINDOWS\Hvg.exe
O4 - HKLM\..\Run: [Jbf] C:\WINDOWS\System32\Rjh.exe
O4 - HKLM\..\Run: [Gpn] C:\WINDOWS\Mcu.exe
O4 - HKLM\..\Run: [Opu] C:\WINDOWS\Dvs.exe
O4 - HKLM\..\Run: [Nqa] C:\WINDOWS\System32\Gkc.exe
O4 - HKLM\..\Run: [Pov] C:\WINDOWS\Cuu.exe
O4 - HKLM\..\Run: [Kan] C:\WINDOWS\System32\Fsh.exe
O4 - HKLM\..\Run: [Btc] C:\WINDOWS\Vde.exe
O4 - HKLM\..\Run: [Dpv] C:\WINDOWS\System32\Qnl.exe
O4 - HKLM\..\Run: [Bsc] C:\WINDOWS\System32\Hol.exe
O4 - HKLM\..\Run: [Kih] C:\WINDOWS\Kai.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\Sue.exe
O4 - HKLM\..\Run: [Jdo] C:\WINDOWS\Lth.exe
O4 - HKLM\..\Run: [Ook] C:\WINDOWS\Iav.exe
O4 - HKLM\..\Run: [Fsa] C:\WINDOWS\System32\Fci.exe
O4 - HKLM\..\Run: [Ceo] C:\WINDOWS\Pds.exe
O4 - HKLM\..\Run: [Vvo] C:\WINDOWS\System32\Smh.exe
O4 - HKLM\..\Run: [Mkh] C:\WINDOWS\System32\Vqg.exe
O4 - HKLM\..\Run: [Djd] C:\WINDOWS\Qkl.exe
O4 - HKLM\..\Run: [Pja] C:\WINDOWS\System32\Mlq.exe
O4 - HKLM\..\Run: [Sut] C:\WINDOWS\System32\Eob.exe
O4 - HKLM\..\Run: [Lfr] C:\WINDOWS\System32\Pbd.exe
O4 - HKLM\..\Run: [Fjc] C:\WINDOWS\Kkv.exe
O4 - HKLM\..\Run: [Bsd] C:\WINDOWS\System32\Cds.exe
O4 - HKLM\..\Run: [Tjn] C:\WINDOWS\Nif.exe
O4 - HKLM\..\Run: [Qst] C:\WINDOWS\Bie.exe
O4 - HKLM\..\Run: [Dcg] C:\WINDOWS\System32\Unf.exe
O4 - HKLM\..\Run: [Lpd] C:\WINDOWS\System32\Qro.exe
O4 - HKLM\..\Run: [Quo] C:\WINDOWS\System32\Uqk.exe
O4 - HKLM\..\Run: [Itc] C:\WINDOWS\Ito.exe
O4 - HKLM\..\Run: [Ivp] C:\WINDOWS\Ilf.exe
O4 - HKLM\..\Run: [Iru] C:\WINDOWS\System32\Gte.exe
O4 - HKLM\..\Run: [Jpf] C:\WINDOWS\System32\Mnk.exe
O4 - HKLM\..\Run: [Moe] C:\WINDOWS\Bls.exe
O4 - HKLM\..\Run: [Ecm] C:\WINDOWS\System32\Mot.exe
O4 - HKLM\..\Run: [Nfj] C:\WINDOWS\System32\Jbg.exe
O4 - HKLM\..\Run: [Ssk] C:\WINDOWS\Bpu.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Pva.exe
O4 - HKLM\..\Run: [Jlf] C:\WINDOWS\System32\Tve.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\Nrq.exe
O4 - HKLM\..\Run: [Vka] C:\WINDOWS\Lgn.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Rsv.exe
O4 - HKLM\..\Run: [Nbh] C:\WINDOWS\Aqu.exe
O4 - HKLM\..\Run: [Hde] C:\WINDOWS\Dur.exe
O4 - HKLM\..\Run: [Pft] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Hfp] C:\WINDOWS\Cbr.exe
O4 - HKLM\..\Run: [Vrt] C:\WINDOWS\System32\Lec.exe
O4 - HKLM\..\Run: [Hps] C:\WINDOWS\Tgv.exe
O4 - HKLM\..\Run: [Ofi] C:\WINDOWS\Fdg.exe
O4 - HKLM\..\Run: [Bop] C:\WINDOWS\System32\Hpg.exe
O4 - HKLM\..\Run: [Mqk] C:\WINDOWS\System32\Jus.exe
O4 - HKLM\..\Run: [Cpm] C:\WINDOWS\Ene.exe
O4 - HKLM\..\Run: [Krr] C:\WINDOWS\System32\Lbs.exe
O4 - HKLM\..\Run: [Fau] C:\WINDOWS\System32\Mem.exe
O4 - HKLM\..\Run: [Epp] C:\WINDOWS\She.exe
O4 - HKLM\..\Run: [Fgf] C:\WINDOWS\Sus.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\System32\Rtm.exe
O4 - HKLM\..\Run: [Pev] C:\WINDOWS\Tqh.exe
O4 - HKLM\..\Run: [Rme] C:\WINDOWS\System32\Obj.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Glq.exe
O4 - HKLM\..\Run: [Epg] C:\WINDOWS\System32\Cab.exe
O4 - HKLM\..\Run: [Aai] C:\WINDOWS\Jre.exe
O4 - HKLM\..\Run: [Msg] C:\WINDOWS\Ahq.exe
O4 - HKLM\..\Run: [Nfn] C:\WINDOWS\System32\Ivj.exe
O4 - HKLM\..\Run: [Tro] C:\WINDOWS\System32\Psb.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Fvb.exe
O4 - HKLM\..\Run: [Ark] C:\WINDOWS\Cjn.exe
O4 - HKLM\..\Run: [Rqj] C:\WINDOWS\Pih.exe
O4 - HKLM\..\Run: [Qtd] C:\WINDOWS\System32\Nkj.exe
O4 - HKLM\..\Run: [Pqj] C:\WINDOWS\Khn.exe
O4 - HKLM\..\Run: [Lll] C:\WINDOWS\Ugn.exe
O4 - HKLM\..\Run: [Ato] C:\WINDOWS\Cbv.exe
O4 - HKLM\..\Run: [Toa] C:\WINDOWS\Chi.exe
O4 - HKLM\..\Run: [Kdg] C:\WINDOWS\Cte.exe
O4 - HKLM\..\Run: [Fdi] C:\WINDOWS\Vbl.exe
O4 - HKLM\..\Run: [Vug] C:\WINDOWS\System32\Jhi.exe
O4 - HKLM\..\Run: [Hpa] C:\WINDOWS\Tcj.exe
O4 - HKLM\..\Run: [Dvr] C:\WINDOWS\Hef.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Opf.exe
O4 - HKLM\..\Run: [Tom] C:\WINDOWS\System32\Vai.exe
O4 - HKLM\..\Run: [Dka] C:\WINDOWS\Ttk.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Odb] C:\WINDOWS\System32\Ivr.exe
O4 - HKLM\..\Run: [Sgp] C:\WINDOWS\System32\Hpu.exe
O4 - HKLM\..\Run: [Ibl] C:\WINDOWS\System32\Mrt.exe
O4 - HKLM\..\Run: [Fqg] C:\WINDOWS\Bal.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Jlv] C:\WINDOWS\Mfd.exe
O4 - HKLM\..\Run: [Phf] C:\WINDOWS\Bkj.exe
O4 - HKLM\..\Run: [Nuv] C:\WINDOWS\Der.exe
O4 - HKLM\..\Run: [Mpj] C:\WINDOWS\Vla.exe
O4 - HKLM\..\Run: [Cfh] C:\WINDOWS\Ijj.exe
O4 - HKLM\..\Run: [Uth] C:\WINDOWS\System32\Aiq.exe
O4 - HKLM\..\Run: [Ome] C:\WINDOWS\System32\Dbn.exe
O4 - HKLM\..\Run: [Rts] C:\WINDOWS\System32\Tlv.exe
O4 - HKLM\..\Run: [Cgv] C:\WINDOWS\Nuf.exe
O4 - HKLM\..\Run: [Gvb] C:\WINDOWS\System32\Hsn.exe
O4 - HKLM\..\Run: [Cso] C:\WINDOWS\System32\Usp.exe
O4 - HKLM\..\Run: [Qba] C:\WINDOWS\Fal.exe
O4 - HKLM\..\Run: [Qmr] C:\WINDOWS\System32\Qdn.exe
O4 - HKLM\..\Run: [Kpr] C:\WINDOWS\System32\Sbs.exe
O4 - HKLM\..\Run: [Rjn] C:\WINDOWS\Uam.exe
O4 - HKLM\..\Run: [Kdn] C:\WINDOWS\Nlc.exe
O4 - HKLM\..\Run: [Qou] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Cun] C:\WINDOWS\Ckl.exe
O4 - HKLM\..\Run: [Knn] C:\WINDOWS\Kvs.exe
O4 - HKLM\..\Run: [Gfp] C:\WINDOWS\Vsn.exe
O4 - HKLM\..\Run: [Rfm] C:\WINDOWS\Ttl.exe
O4 - HKLM\..\Run: [Ina] C:\WINDOWS\Psm.exe
O4 - HKLM\..\Run: [Aep] C:\WINDOWS\Hda.exe
O4 - HKLM\..\Run: [Kma] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Kqo] C:\WINDOWS\Ggq.exe
O4 - HKLM\..\Run: [Dev] C:\WINDOWS\System32\Dsu.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\Irn.exe
O4 - HKLM\..\Run: [Tee] C:\WINDOWS\System32\Bku.exe
O4 - HKLM\..\Run: [Aql] C:\WINDOWS\Rrt.exe
O4 - HKLM\..\Run: [Ulb] C:\WINDOWS\System32\Tjh.exe
O4 - HKLM\..\Run: [Hmb] C:\WINDOWS\System32\Bdm.exe
O4 - HKLM\..\Run: [Snd] C:\WINDOWS\Fsb.exe
O4 - HKLM\..\Run: [Mnp] C:\WINDOWS\Tss.exe
O4 - HKLM\..\Run: [Qjf] C:\WINDOWS\System32\Efe.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\System32\Hmq.exe
O4 - HKLM\..\Run: [Clq] C:\WINDOWS\Tpa.exe
O4 - HKLM\..\Run: [Lnj] C:\WINDOWS\Mnd.exe
O4 - HKLM\..\Run: [Nae] C:\WINDOWS\System32\Obn.exe
O4 - HKLM\..\Run: [Iij] C:\WINDOWS\Gjp.exe
O4 - HKLM\..\Run: [Rlr] C:\WINDOWS\System32\Fna.exe
O4 - HKLM\..\Run: [Aqk] C:\WINDOWS\Naf.exe
O4 - HKLM\..\Run: [Jko] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Lir] C:\WINDOWS\System32\Elc.exe
O4 - HKLM\..\Run: [Ftg] C:\WINDOWS\Bsl.exe
O4 - HKLM\..\Run: [Hlo] C:\WINDOWS\Tll.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Kbp] C:\WINDOWS\Gfj.exe
O4 - HKLM\..\Run: [Avj] C:\WINDOWS\Smh.exe
O4 - HKLM\..\Run: [Icn] C:\WINDOWS\Jbb.exe
O4 - HKLM\..\Run: [Skh] C:\WINDOWS\System32\Tjr.exe
O4 - HKLM\..\Run: [Gel] C:\WINDOWS\Pqj.exe
O4 - HKLM\..\Run: [Mfn] C:\WINDOWS\Lsr.exe
O4 - HKLM\..\Run: [Lqu] C:\WINDOWS\System32\Vuu.exe
O4 - HKLM\..\Run: [Qru] C:\WINDOWS\Sqr.exe
O4 - HKLM\..\Run: [Jqj] C:\WINDOWS\System32\Jts.exe
O4 - HKLM\..\Run: [Bus] C:\WINDOWS\System32\Dbf.exe
O4 - HKLM\..\Run: [Sbg] C:\WINDOWS\Riu.exe
O4 - HKLM\..\Run: [Vcd] C:\WINDOWS\Fid.exe
O4 - HKLM\..\Run: [Thm] C:\WINDOWS\Fim.exe
O4 - HKLM\..\Run: [Shr] C:\WINDOWS\System32\Dgq.exe
O4 - HKLM\..\Run: [Sre] C:\WINDOWS\Deh.exe
O4 - HKLM\..\Run: [Fkj] C:\WINDOWS\Rdp.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Qem.exe
O4 - HKLM\..\Run: [Bpg] C:\WINDOWS\Ucn.exe
O4 - HKLM\..\Run: [Gja] C:\WINDOWS\System32\Nmm.exe
O4 - HKLM\..\Run: [Hqq] C:\WINDOWS\Gqv.exe
O4 - HKLM\..\Run: [Ufq] C:\WINDOWS\System32\Esb.exe
O4 - HKLM\..\Run: [Hkm] C:\WINDOWS\System32\Sva.exe
O4 - HKLM\..\Run: [Cbs] C:\WINDOWS\Ucl.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Eho] C:\WINDOWS\System32\Jfr.exe
O4 - HKLM\..\Run: [Bji] C:\WINDOWS\System32\Nko.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Jvq] C:\WINDOWS\Uor.exe
O4 - HKLM\..\Run: [Nkf] C:\WINDOWS\System32\Hdr.exe
O4 - HKLM\..\Run: [Ufb] C:\WINDOWS\System32\Nop.exe
O4 - HKLM\..\Run: [Lpm] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKLM\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRA~1\PESTPA~1\ppclean.exe" "clean" "ts:20051115170247" "cws" "2"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKCU\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - Global Startup: start.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\windows\system32\cm.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...erInstall_2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0FCE2FB-4CB0-4B65-BCDF-40D4EC314841}: NameServer = 85.255.115.69,85.255.112.12
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\q167078.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
  • 0

#4
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Hi AlphaBITS :)

You are infected with several nasty Trojans (including a keylogger) and also infections such as CoolWebSearch and Elite Tool Bar. You may also have a Haxdoor rootkit infection. In addition to this, your internet access is being routed through Kiev, Ukraine.

Don't worry though, together we can fix this - it will take several iterations and I urge you to follow my instructions carefully :)

Firstly though, I see you are running an Anti Virus product (Norton) which is good. However, it is not clear from your log if this includes a firewall. A firewall is an essential piece of software to prevent unauthorised internet access both to and from your computer. If you have the Norton firewall, please ensure it is turned on. If you do not, then you must install a good free firewall such as ZoneAlarm which I can highly recommend as I use it personally. Download and install it and then follow the tutorial. If any alerts popup for programs you do not recognise, deny them access to the internet.

Once you have the firewall installed, please restart your computer before proceeding.

Note that you have a keylogger infection which can record and send keystrokes including passwords and confidential bank information. Once you are clean (or from a clean computer), I strongly recommend you change all your online passwords, especially related to online banking.

Please print these instructions as you will not have access to the internet during parts of the fix. Please also save these instructions to Notepad (and save the file somewhere safe), as I will ask you to copy & paste from it during the fix

Preparation

1) Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

2) Download LQfix.exe from one of the following locations and save it to your desktop :

http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exe

3) Download HSFix from here

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

4) Download CleanUp! Install it, but do not run it yet.

5) Right click Here and select Save As to download DelDomains.inf. Please save the file somewhere you can find it like on the desktop.

6) Download the Killbox. Unzip it to the desktop but do NOT run it yet.

The Fix

1) Run LQFix :
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • You need an active Internet Connection, so make sure your you're not blocking any connection now.
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
2) Run HijackThis and place a check next to the following items :

(note : if your internet access should not be routed thru Kiev (e.g. you do not live in the Ukraine and your ISP is not in the Ukraine), please include the items in red, otherwise leave them out)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=enc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adshttp.com/s...L?zone=enternet
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Bryan\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Jch] C:\WINDOWS\Erk.exe
O4 - HKLM\..\Run: [Mgm] C:\WINDOWS\Hdp.exe
O4 - HKLM\..\Run: [Hhs] C:\WINDOWS\Ftj.exe
O4 - HKLM\..\Run: [Vng] C:\WINDOWS\Sac.exe
O4 - HKLM\..\Run: [Seb] C:\WINDOWS\System32\Alp.exe
O4 - HKLM\..\Run: [Ois] C:\WINDOWS\System32\Asj.exe
O4 - HKLM\..\Run: [Caj] C:\WINDOWS\System32\Dke.exe
O4 - HKLM\..\Run: [Pnb] C:\WINDOWS\Kfk.exe
O4 - HKLM\..\Run: [Ngu] C:\WINDOWS\System32\Ftd.exe
O4 - HKLM\..\Run: [Tck] C:\WINDOWS\System32\Ivo.exe
O4 - HKLM\..\Run: [Ung] C:\WINDOWS\Ern.exe
O4 - HKLM\..\Run: [Sgc] C:\WINDOWS\Vgq.exe
O4 - HKLM\..\Run: [Ses] C:\WINDOWS\System32\Cll.exe
O4 - HKLM\..\Run: [Hlp] C:\WINDOWS\System32\Bto.exe
O4 - HKLM\..\Run: [Qks] C:\WINDOWS\Ptr.exe
O4 - HKLM\..\Run: [Mkd] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Nfq] C:\WINDOWS\Bnt.exe
O4 - HKLM\..\Run: [Cvn] C:\WINDOWS\System32\Btp.exe
O4 - HKLM\..\Run: [Fmk] C:\WINDOWS\Vkq.exe
O4 - HKLM\..\Run: [Nks] C:\WINDOWS\Lbu.exe
O4 - HKLM\..\Run: [Edl] C:\WINDOWS\System32\Ftv.exe
O4 - HKLM\..\Run: [Rsa] C:\WINDOWS\System32\Abk.exe
O4 - HKLM\..\Run: [Diq] C:\WINDOWS\Thi.exe
O4 - HKLM\..\Run: [Tmf] C:\WINDOWS\System32\Vge.exe
O4 - HKLM\..\Run: [Bvs] C:\WINDOWS\Lpe.exe
O4 - HKLM\..\Run: [Lem] C:\WINDOWS\Gnk.exe
O4 - HKLM\..\Run: [Jdt] C:\WINDOWS\Ctf.exe
O4 - HKLM\..\Run: [Dkf] C:\WINDOWS\System32\Qqb.exe
O4 - HKLM\..\Run: [Bfd] C:\WINDOWS\System32\Nmf.exe
O4 - HKLM\..\Run: [Otj] C:\WINDOWS\System32\Aog.exe
O4 - HKLM\..\Run: [Eph] C:\WINDOWS\Qio.exe
O4 - HKLM\..\Run: [Rco] C:\WINDOWS\System32\Fbn.exe
O4 - HKLM\..\Run: [Egp] C:\WINDOWS\Mml.exe
O4 - HKLM\..\Run: [Kvl] C:\WINDOWS\System32\Fgo.exe
O4 - HKLM\..\Run: [Ajh] C:\WINDOWS\Bcc.exe
O4 - HKLM\..\Run: [Bra] C:\WINDOWS\System32\Ldi.exe
O4 - HKLM\..\Run: [Tkc] C:\WINDOWS\Lle.exe
O4 - HKLM\..\Run: [Tei] C:\WINDOWS\System32\Bef.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Egh.exe
O4 - HKLM\..\Run: [Elf] C:\WINDOWS\Rpc.exe
O4 - HKLM\..\Run: [Rla] C:\WINDOWS\Uid.exe
O4 - HKLM\..\Run: [Lqb] C:\WINDOWS\Ejr.exe
O4 - HKLM\..\Run: [Vef] C:\WINDOWS\Qql.exe
O4 - HKLM\..\Run: [Cer] C:\WINDOWS\System32\Cjo.exe
O4 - HKLM\..\Run: [Fdj] C:\WINDOWS\Hlg.exe
O4 - HKLM\..\Run: [Gef] C:\WINDOWS\System32\Laa.exe
O4 - HKLM\..\Run: [Ujg] C:\WINDOWS\Rjt.exe
O4 - HKLM\..\Run: [Til] C:\WINDOWS\Tjm.exe
O4 - HKLM\..\Run: [Drp] C:\WINDOWS\Bbd.exe
O4 - HKLM\..\Run: [Efa] C:\WINDOWS\Pmo.exe
O4 - HKLM\..\Run: [Gjb] C:\WINDOWS\Hrl.exe
O4 - HKLM\..\Run: [Osu] C:\WINDOWS\Euj.exe
O4 - HKLM\..\Run: [Fhs] C:\WINDOWS\System32\Dgi.exe
O4 - HKLM\..\Run: [Ltb] C:\WINDOWS\Omd.exe
O4 - HKLM\..\Run: [Ifn] C:\WINDOWS\Rld.exe
O4 - HKLM\..\Run: [Amd] C:\WINDOWS\System32\Jrq.exe
O4 - HKLM\..\Run: [Jtp] C:\WINDOWS\System32\Mnq.exe
O4 - HKLM\..\Run: [Spa] C:\WINDOWS\System32\Jls.exe
O4 - HKLM\..\Run: [Oos] C:\WINDOWS\System32\Brs.exe
O4 - HKLM\..\Run: [Qtp] C:\WINDOWS\Sca.exe
O4 - HKLM\..\Run: [Ora] C:\WINDOWS\Peq.exe
O4 - HKLM\..\Run: [Hdo] C:\WINDOWS\Ivl.exe
O4 - HKLM\..\Run: [Bfb] C:\WINDOWS\System32\Kba.exe
O4 - HKLM\..\Run: [Eve] C:\WINDOWS\Foe.exe
O4 - HKLM\..\Run: [Fih] C:\WINDOWS\System32\Lgf.exe
O4 - HKLM\..\Run: [Dmi] C:\WINDOWS\System32\Glu.exe
O4 - HKLM\..\Run: [Oht] C:\WINDOWS\System32\Ksj.exe
O4 - HKLM\..\Run: [Qsb] C:\WINDOWS\System32\Tja.exe
O4 - HKLM\..\Run: [Vjk] C:\WINDOWS\Lsi.exe
O4 - HKLM\..\Run: [Pkn] C:\WINDOWS\System32\Mdj.exe
O4 - HKLM\..\Run: [Dnu] C:\WINDOWS\Hvg.exe
O4 - HKLM\..\Run: [Jbf] C:\WINDOWS\System32\Rjh.exe
O4 - HKLM\..\Run: [Gpn] C:\WINDOWS\Mcu.exe
O4 - HKLM\..\Run: [Opu] C:\WINDOWS\Dvs.exe
O4 - HKLM\..\Run: [Nqa] C:\WINDOWS\System32\Gkc.exe
O4 - HKLM\..\Run: [Pov] C:\WINDOWS\Cuu.exe
O4 - HKLM\..\Run: [Kan] C:\WINDOWS\System32\Fsh.exe
O4 - HKLM\..\Run: [Btc] C:\WINDOWS\Vde.exe
O4 - HKLM\..\Run: [Dpv] C:\WINDOWS\System32\Qnl.exe
O4 - HKLM\..\Run: [Bsc] C:\WINDOWS\System32\Hol.exe
O4 - HKLM\..\Run: [Kih] C:\WINDOWS\Kai.exe
O4 - HKLM\..\Run: [Lrv] C:\WINDOWS\Sue.exe
O4 - HKLM\..\Run: [Jdo] C:\WINDOWS\Lth.exe
O4 - HKLM\..\Run: [Ook] C:\WINDOWS\Iav.exe
O4 - HKLM\..\Run: [Fsa] C:\WINDOWS\System32\Fci.exe
O4 - HKLM\..\Run: [Ceo] C:\WINDOWS\Pds.exe
O4 - HKLM\..\Run: [Vvo] C:\WINDOWS\System32\Smh.exe
O4 - HKLM\..\Run: [Mkh] C:\WINDOWS\System32\Vqg.exe
O4 - HKLM\..\Run: [Djd] C:\WINDOWS\Qkl.exe
O4 - HKLM\..\Run: [Pja] C:\WINDOWS\System32\Mlq.exe
O4 - HKLM\..\Run: [Sut] C:\WINDOWS\System32\Eob.exe
O4 - HKLM\..\Run: [Lfr] C:\WINDOWS\System32\Pbd.exe
O4 - HKLM\..\Run: [Fjc] C:\WINDOWS\Kkv.exe
O4 - HKLM\..\Run: [Bsd] C:\WINDOWS\System32\Cds.exe
O4 - HKLM\..\Run: [Tjn] C:\WINDOWS\Nif.exe
O4 - HKLM\..\Run: [Qst] C:\WINDOWS\Bie.exe
O4 - HKLM\..\Run: [Dcg] C:\WINDOWS\System32\Unf.exe
O4 - HKLM\..\Run: [Lpd] C:\WINDOWS\System32\Qro.exe
O4 - HKLM\..\Run: [Quo] C:\WINDOWS\System32\Uqk.exe
O4 - HKLM\..\Run: [Itc] C:\WINDOWS\Ito.exe
O4 - HKLM\..\Run: [Ivp] C:\WINDOWS\Ilf.exe
O4 - HKLM\..\Run: [Iru] C:\WINDOWS\System32\Gte.exe
O4 - HKLM\..\Run: [Jpf] C:\WINDOWS\System32\Mnk.exe
O4 - HKLM\..\Run: [Moe] C:\WINDOWS\Bls.exe
O4 - HKLM\..\Run: [Ecm] C:\WINDOWS\System32\Mot.exe
O4 - HKLM\..\Run: [Nfj] C:\WINDOWS\System32\Jbg.exe
O4 - HKLM\..\Run: [Ssk] C:\WINDOWS\Bpu.exe
O4 - HKLM\..\Run: [Csn] C:\WINDOWS\System32\Pva.exe
O4 - HKLM\..\Run: [Jlf] C:\WINDOWS\System32\Tve.exe
O4 - HKLM\..\Run: [Ojj] C:\WINDOWS\Nrq.exe
O4 - HKLM\..\Run: [Vka] C:\WINDOWS\Lgn.exe
O4 - HKLM\..\Run: [Hhc] C:\WINDOWS\Rsv.exe
O4 - HKLM\..\Run: [Nbh] C:\WINDOWS\Aqu.exe
O4 - HKLM\..\Run: [Hde] C:\WINDOWS\Dur.exe
O4 - HKLM\..\Run: [Pft] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Hfp] C:\WINDOWS\Cbr.exe
O4 - HKLM\..\Run: [Vrt] C:\WINDOWS\System32\Lec.exe
O4 - HKLM\..\Run: [Hps] C:\WINDOWS\Tgv.exe
O4 - HKLM\..\Run: [Ofi] C:\WINDOWS\Fdg.exe
O4 - HKLM\..\Run: [Bop] C:\WINDOWS\System32\Hpg.exe
O4 - HKLM\..\Run: [Mqk] C:\WINDOWS\System32\Jus.exe
O4 - HKLM\..\Run: [Cpm] C:\WINDOWS\Ene.exe
O4 - HKLM\..\Run: [Krr] C:\WINDOWS\System32\Lbs.exe
O4 - HKLM\..\Run: [Fau] C:\WINDOWS\System32\Mem.exe
O4 - HKLM\..\Run: [Epp] C:\WINDOWS\She.exe
O4 - HKLM\..\Run: [Fgf] C:\WINDOWS\Sus.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\System32\Rtm.exe
O4 - HKLM\..\Run: [Pev] C:\WINDOWS\Tqh.exe
O4 - HKLM\..\Run: [Rme] C:\WINDOWS\System32\Obj.exe
O4 - HKLM\..\Run: [Iue] C:\WINDOWS\System32\Glq.exe
O4 - HKLM\..\Run: [Epg] C:\WINDOWS\System32\Cab.exe
O4 - HKLM\..\Run: [Aai] C:\WINDOWS\Jre.exe
O4 - HKLM\..\Run: [Msg] C:\WINDOWS\Ahq.exe
O4 - HKLM\..\Run: [Nfn] C:\WINDOWS\System32\Ivj.exe
O4 - HKLM\..\Run: [Tro] C:\WINDOWS\System32\Psb.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Fvb.exe
O4 - HKLM\..\Run: [Ark] C:\WINDOWS\Cjn.exe
O4 - HKLM\..\Run: [Rqj] C:\WINDOWS\Pih.exe
O4 - HKLM\..\Run: [Qtd] C:\WINDOWS\System32\Nkj.exe
O4 - HKLM\..\Run: [Pqj] C:\WINDOWS\Khn.exe
O4 - HKLM\..\Run: [Lll] C:\WINDOWS\Ugn.exe
O4 - HKLM\..\Run: [Ato] C:\WINDOWS\Cbv.exe
O4 - HKLM\..\Run: [Toa] C:\WINDOWS\Chi.exe
O4 - HKLM\..\Run: [Kdg] C:\WINDOWS\Cte.exe
O4 - HKLM\..\Run: [Fdi] C:\WINDOWS\Vbl.exe
O4 - HKLM\..\Run: [Vug] C:\WINDOWS\System32\Jhi.exe
O4 - HKLM\..\Run: [Hpa] C:\WINDOWS\Tcj.exe
O4 - HKLM\..\Run: [Dvr] C:\WINDOWS\Hef.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Opf.exe
O4 - HKLM\..\Run: [Tom] C:\WINDOWS\System32\Vai.exe
O4 - HKLM\..\Run: [Dka] C:\WINDOWS\Ttk.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Odb] C:\WINDOWS\System32\Ivr.exe
O4 - HKLM\..\Run: [Sgp] C:\WINDOWS\System32\Hpu.exe
O4 - HKLM\..\Run: [Ibl] C:\WINDOWS\System32\Mrt.exe
O4 - HKLM\..\Run: [Fqg] C:\WINDOWS\Bal.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Jlv] C:\WINDOWS\Mfd.exe
O4 - HKLM\..\Run: [Phf] C:\WINDOWS\Bkj.exe
O4 - HKLM\..\Run: [Nuv] C:\WINDOWS\Der.exe
O4 - HKLM\..\Run: [Mpj] C:\WINDOWS\Vla.exe
O4 - HKLM\..\Run: [Cfh] C:\WINDOWS\Ijj.exe
O4 - HKLM\..\Run: [Uth] C:\WINDOWS\System32\Aiq.exe
O4 - HKLM\..\Run: [Ome] C:\WINDOWS\System32\Dbn.exe
O4 - HKLM\..\Run: [Rts] C:\WINDOWS\System32\Tlv.exe
O4 - HKLM\..\Run: [Cgv] C:\WINDOWS\Nuf.exe
O4 - HKLM\..\Run: [Gvb] C:\WINDOWS\System32\Hsn.exe
O4 - HKLM\..\Run: [Cso] C:\WINDOWS\System32\Usp.exe
O4 - HKLM\..\Run: [Qba] C:\WINDOWS\Fal.exe
O4 - HKLM\..\Run: [Qmr] C:\WINDOWS\System32\Qdn.exe
O4 - HKLM\..\Run: [Kpr] C:\WINDOWS\System32\Sbs.exe
O4 - HKLM\..\Run: [Rjn] C:\WINDOWS\Uam.exe
O4 - HKLM\..\Run: [Kdn] C:\WINDOWS\Nlc.exe
O4 - HKLM\..\Run: [Qou] C:\WINDOWS\Lmq.exe
O4 - HKLM\..\Run: [Cun] C:\WINDOWS\Ckl.exe
O4 - HKLM\..\Run: [Knn] C:\WINDOWS\Kvs.exe
O4 - HKLM\..\Run: [Gfp] C:\WINDOWS\Vsn.exe
O4 - HKLM\..\Run: [Rfm] C:\WINDOWS\Ttl.exe
O4 - HKLM\..\Run: [Ina] C:\WINDOWS\Psm.exe
O4 - HKLM\..\Run: [Aep] C:\WINDOWS\Hda.exe
O4 - HKLM\..\Run: [Kma] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Kqo] C:\WINDOWS\Ggq.exe
O4 - HKLM\..\Run: [Dev] C:\WINDOWS\System32\Dsu.exe
O4 - HKLM\..\Run: [Dlr] C:\WINDOWS\Irn.exe
O4 - HKLM\..\Run: [Tee] C:\WINDOWS\System32\Bku.exe
O4 - HKLM\..\Run: [Aql] C:\WINDOWS\Rrt.exe
O4 - HKLM\..\Run: [Ulb] C:\WINDOWS\System32\Tjh.exe
O4 - HKLM\..\Run: [Hmb] C:\WINDOWS\System32\Bdm.exe
O4 - HKLM\..\Run: [Snd] C:\WINDOWS\Fsb.exe
O4 - HKLM\..\Run: [Mnp] C:\WINDOWS\Tss.exe
O4 - HKLM\..\Run: [Qjf] C:\WINDOWS\System32\Efe.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\System32\Hmq.exe
O4 - HKLM\..\Run: [Clq] C:\WINDOWS\Tpa.exe
O4 - HKLM\..\Run: [Lnj] C:\WINDOWS\Mnd.exe
O4 - HKLM\..\Run: [Nae] C:\WINDOWS\System32\Obn.exe
O4 - HKLM\..\Run: [Iij] C:\WINDOWS\Gjp.exe
O4 - HKLM\..\Run: [Rlr] C:\WINDOWS\System32\Fna.exe
O4 - HKLM\..\Run: [Aqk] C:\WINDOWS\Naf.exe
O4 - HKLM\..\Run: [Jko] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Lir] C:\WINDOWS\System32\Elc.exe
O4 - HKLM\..\Run: [Ftg] C:\WINDOWS\Bsl.exe
O4 - HKLM\..\Run: [Hlo] C:\WINDOWS\Tll.exe
O4 - HKLM\..\Run: [Ijf] C:\WINDOWS\System32\Fgl.exe
O4 - HKLM\..\Run: [Kbp] C:\WINDOWS\Gfj.exe
O4 - HKLM\..\Run: [Avj] C:\WINDOWS\Smh.exe
O4 - HKLM\..\Run: [Icn] C:\WINDOWS\Jbb.exe
O4 - HKLM\..\Run: [Skh] C:\WINDOWS\System32\Tjr.exe
O4 - HKLM\..\Run: [Gel] C:\WINDOWS\Pqj.exe
O4 - HKLM\..\Run: [Mfn] C:\WINDOWS\Lsr.exe
O4 - HKLM\..\Run: [Lqu] C:\WINDOWS\System32\Vuu.exe
O4 - HKLM\..\Run: [Qru] C:\WINDOWS\Sqr.exe
O4 - HKLM\..\Run: [Jqj] C:\WINDOWS\System32\Jts.exe
O4 - HKLM\..\Run: [Bus] C:\WINDOWS\System32\Dbf.exe
O4 - HKLM\..\Run: [Sbg] C:\WINDOWS\Riu.exe
O4 - HKLM\..\Run: [Vcd] C:\WINDOWS\Fid.exe
O4 - HKLM\..\Run: [Thm] C:\WINDOWS\Fim.exe
O4 - HKLM\..\Run: [Shr] C:\WINDOWS\System32\Dgq.exe
O4 - HKLM\..\Run: [Sre] C:\WINDOWS\Deh.exe
O4 - HKLM\..\Run: [Fkj] C:\WINDOWS\Rdp.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Qem.exe
O4 - HKLM\..\Run: [Bpg] C:\WINDOWS\Ucn.exe
O4 - HKLM\..\Run: [Gja] C:\WINDOWS\System32\Nmm.exe
O4 - HKLM\..\Run: [Hqq] C:\WINDOWS\Gqv.exe
O4 - HKLM\..\Run: [Ufq] C:\WINDOWS\System32\Esb.exe
O4 - HKLM\..\Run: [Hkm] C:\WINDOWS\System32\Sva.exe
O4 - HKLM\..\Run: [Cbs] C:\WINDOWS\Ucl.exe
O4 - HKLM\..\Run: [Eho] C:\WINDOWS\System32\Jfr.exe
O4 - HKLM\..\Run: [Bji] C:\WINDOWS\System32\Nko.exe
O4 - HKLM\..\Run: [Jvq] C:\WINDOWS\Uor.exe
O4 - HKLM\..\Run: [Nkf] C:\WINDOWS\System32\Hdr.exe
O4 - HKLM\..\Run: [Ufb] C:\WINDOWS\System32\Nop.exe
O4 - HKLM\..\Run: [Lpm] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKLM\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKCU\..\Run: [Frc] C:\WINDOWS\Bas.exe
O4 - HKCU\..\Run: [Iva] C:\WINDOWS\Mik.exe
O4 - Global Startup: start.exe
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\windows\system32\cm.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...erInstall_2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0FCE2FB-4CB0-4B65-BCDF-40D4EC314841}: NameServer = 85.255.115.69,85.255.112.12
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\q167078.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


3) Go to your desktop and right-click on the deldomains.inf file and select Install

4) Reboot into Safe Mode :

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

5) Run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

6) Run HSFix :
  • Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
  • A log will be produced which you can close out of.
7) Run the Killbox :
  • Select "Delete on Reboot".
  • Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\adsldpbd.dll
    C:\DOCUME~1\Bryan\LOCALS~1\Temp\keep.exe
    C:\WINDOWS\q167078.dll
    C:\WINDOWS\svcproc.exe
    C:\windows\system32\cm.exe
    C:\WINDOWS\SYSTEM32\drct16.dll
    C:\WINDOWS\System32\msblank.html
    C:\WINDOWS\System32\popcorn72.exe
    C:\WINDOWS\System32\winldra.exe
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard". It is vital that you see the first file (C:\WINDOWS\adsldpbd.dll) appear in the white text box - if this doesn't happen, you will have to copy and paste each file, one by one, into the text box and proceed with clicking the delete button as described below. Repeat for each and every file on the list, ignoring one's where KillBox says the file does not exist)
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

8) Using Windows Explorer or My Computer please delete the following folders :

C:\WINDOWS\etb\


9) Search for the following files using Start -> Search and all files and folder. Ensure you are searching for hidden and system files and also searching subfolders (all within Advanced Options). When found, delete the file :

start.exe

10) Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.

11) Restart your computer in Normal Mode

12) Run at least one of the following free, online virus scans. Note the scans may prompt to download and install an ActiveX control - this is ok, please allow it :

TrendMicro HouseCall
Panda ActiveScan
CA Scan

13) Restart your computer one last time

14) Please post back with the following information :
  • Fresh HijackThis log taken after following all of the above instructions
  • The hsfix log located at C:\hslog.txt
  • The results/log of the online virus scan(s)
:tazz:
  • 0

#5
AlphaBITS

AlphaBITS

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
:)

Amazing! Thanks for your efforts. I have printed out this thread and will follow the instructions.

Re: firewalls, the customer had Norton Internet Security loaded on this machine, but I have removed it in an attempt to eliminate some of the problems. They are running DSL directly connected to their machine, no router.

In my own office, I use a router with a built-in firewall. I have no problems here other than some annoying spam email.

I will reply again when I've spent some time on this...

THANK YOU.

Paul
:tazz:
  • 0

#6
infaddict

infaddict

    Visiting Staff

  • Member
  • PipPipPip
  • 734 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP