Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Evil evil problems on my computer


  • This topic is locked This topic is locked

#1
Wazootyman

Wazootyman

    New Member

  • Member
  • Pip
  • 6 posts
Heyo, I'm having a world of problems with my Windows XP computer. A couple of months ago, IE became unusable, because I'd get a crazy amount of pop-ups. Finally I stopped using IE in favor of Firefox. That helped some of my problems, but new problems are cropping up.

Occasionally IE will launch itself in order to hit me with a pop-up. When that pop-up occurs, it causes about 10 other pop-ups to come as well, and I have to ctrl-alt-del out of it.

Another problem that's been annoying me recently is occasionally a dialogue message saying "Server Busy........" will pop up with two options... "Switch to" and "Retry" If I press Switch to, it opens up the start menu, but the error message stays on the screen. If I press retry, the error message stays on the screen. If I try moving the message out of sight, it will repop-up in the middle of the screen.

AND THEN on top of that, shut down is incredibly slow. When I try restarting via the start button, it will say it needs to close out of programs that aren't open. One of the ones that sticks out to me is "Webrebates0.exe" which needs to be closed... I'm guessing that's spyware. Another one I'm curious about is ecru.exe, which seems to be spyware as well.

I've tried running Adaware, other spyware removers, anti-virus programs and nothing has really worked.

Finally, here's my Hijackthis Log.

Logfile of HijackThis v1.99.0
Scan saved at 7:25:35 PM, on 2/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\documents and settings\kevman\local settings\temp\iz.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\documents and settings\kevman\local settings\temp\DK2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\windows\system32\saie.exe
C:\documents and settings\kevman\local settings\temp\y.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\tiguoqc.exe
C:\WINDOWS\Xhrmy.exe
C:\windows\system32\Ecru.exe
C:\windows\system32\21DKnOqS.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\documents and settings\kevman\local settings\temp\j.exe
C:\documents and settings\kevman\local settings\temp\OzGUL.exe
C:\documents and settings\kevman\local settings\temp\ri.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\sisalsec.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\serpx32r.exe
C:\WINDOWS\System32\w?crtupd.exe
C:\Documents and Settings\Kevman\Application Data\eetu.exe
C:\WINDOWS\SYSTEM32\Ecru.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\DOCUMENTS AND SETTINGS\KEVMAN\MY DOCUMENTS\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B73C3455-A3BF-F01F-E06D-8C7AE5C20DB0} - C:\WINDOWS\System32\yos.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: SDWin32 Class - {FE0E60B4-4D13-46CD-B7A3-13C9DF9262CC} - C:\WINDOWS\System32\omccv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iz.exe] C:\documents and settings\kevman\local settings\temp\iz.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [DK2.exe] C:\documents and settings\kevman\local settings\temp\DK2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HwKk.exe] C:\documents and settings\kevman\local settings\temp\HwKk.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [omccvc] C:\WINDOWS\System32\omccvc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [y.exe] C:\documents and settings\kevman\local settings\temp\y.exe
O4 - HKLM\..\Run: [zMeDu741.exe] C:\documents and settings\kevman\local settings\temp\zMeDu741.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [5N.exe] C:\documents and settings\kevman\local settings\temp\5N.exe
O4 - HKLM\..\Run: [dlM28FL] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [Ecru.exe] c:\windows\system32\Ecru.exe
O4 - HKLM\..\Run: [21DKnOqS.exe] C:\windows\system32\21DKnOqS.exe
O4 - HKLM\..\Run: [j.exe] C:\documents and settings\kevman\local settings\temp\j.exe
O4 - HKLM\..\Run: [OzGUL.exe] C:\documents and settings\kevman\local settings\temp\OzGUL.exe
O4 - HKLM\..\Run: [ri.exe] C:\documents and settings\kevman\local settings\temp\ri.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dlM28@]"C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [dlM28]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [u04C
}z[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [u0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [oFEU38X] sisalsec.exe
O4 - HKLM\..\Run: [pon] C:\WINDOWS\pon.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [atl] C:\WINDOWS\System32\atl.exe
O4 - HKCU\..\Run: [Zox8RUb9Q] serpx32r.exe
O4 - HKCU\..\Run: [Xjxsupn] C:\WINDOWS\System32\w?crtupd.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Kevman\Application Data\eetu.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093741012771
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MD Simple Burner Service - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Wazootyman

You do have a lot off malware

I am looking at your HJT.Log now will post in the next 20 mins

Kc :tazz:
  • 0

#3
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Wazootyman

Please set your system to show all files; see here for how to do this if you're unsure.

The following are mandatory fixes:
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\documents and settings\kevman\local settings\temp\iz.exe
C:\documents and settings\kevman\local settings\temp\DK2.exe
C:\windows\system32\saie.exe
C:\documents and settings\kevman\local settings\temp\y.exe
C:\WINDOWS\tiguoqc.exe
C:\WINDOWS\Xhrmy.exe
C:\windows\system32\Ecru.exe
C:\windows\system32\21DKnOqS.exe
C:\documents and settings\kevman\local settings\temp\j.exe
C:\documents and settings\kevman\local settings\temp\OzGUL.exe
C:\documents and settings\kevman\local settings\temp\ri.exe
C:\Documents and Settings\Kevman\Application Data\eetu.exe
C:\Program Files\eb_Rebates\WebRebates1.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\CxtPls\cxtpls.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
C:\WINDOWS\System32\yos.dll
C:\Program Files\SEP\sep.dll
C:\Program Files\Middadle\Clicks10017.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\System32\omccv.dll
C:\PROGRA~1\YOURSI~1\ysb.dll
C:\WINDOWS\System32\IEHost.exe
C:\documents and settings\kevman\local settings\temp\HwKk.exe
C:\WINDOWS\System32\winupdtl.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\documents and settings\kevman\local settings\temp\5N.exe
sisalsec.exe
C:\WINDOWS\pon.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\atl.exe
serpx32r.exe
C:\WINDOWS\zeta.exe


Exit the Task Manager when finished

Please use Add Remove Program File and uninstall the following

C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\CxtPls\cxtpls.dll
C:\Program Files\SEP\sep.dll
C:\Program Files\Middadle\Clicks10017.dll
C:\PROGRA~1\YOURSI~1\ysb.dll
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q


Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {B73C3455-A3BF-F01F-E06D-8C7AE5C20DB0} - C:\WINDOWS\System32\yos.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: SDWin32 Class - {FE0E60B4-4D13-46CD-B7A3-13C9DF9262CC} - C:\WINDOWS\System32\omccv.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [HwKk.exe] C:\documents and settings\kevman\local settings\temp\HwKk.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [y.exe] C:\documents and settings\kevman\local settings\temp\y.exe
O4 - HKLM\..\Run: [5N.exe] C:\documents and settings\kevman\local settings\temp\5N.exe
O4 - HKLM\..\Run: [dlM28FL] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [Ecru.exe] c:\windows\system32\Ecru.exe
O4 - HKLM\..\Run: [21DKnOqS.exe] C:\windows\system32\21DKnOqS.exe
O4 - HKLM\..\Run: [j.exe] C:\documents and settings\kevman\local settings\temp\j.exe
O4 - HKLM\..\Run: [OzGUL.exe] C:\documents and settings\kevman\local settings\temp\OzGUL.exe
O4 - HKLM\..\Run: [ri.exe] C:\documents and settings\kevman\local settings\temp\ri.exe
O4 - HKLM\..\Run: [dlM28@]"C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [dlM28]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [u04C
O4 - HKLM\..\Run: [oFEU38X] sisalsec.exe
O4 - HKLM\..\Run: [pon] C:\WINDOWS\pon.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [atl] C:\WINDOWS\System32\atl.exe
O4 - HKCU\..\Run: [Zox8RUb9Q] serpx32r.exe
O4 - HKCU\..\Run: [Xjxsupn] C:\WINDOWS\System32\w?crtupd.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Kevman\Application Data\eetu.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

[B]C:\WINDOWS\System32\P2P Networking\P2P Networking.exe<--Delete the full folder
C:\documents and settings\kevman\local settings\temp\iz.exe<--Delete this file
C:\documents and settings\kevman\local settings\temp\DK2.exe<--Delete this file
C:\windows\system32\saie.exe<--Delete this file
C:\documents and settings\kevman\local settings\temp\y.exe<--Delete this file
C:\WINDOWS\tiguoqc.exe<--Delete this file
C:\WINDOWS\Xhrmy.exe<--Delete this file
C:\windows\system32\Ecru.exe<--Delete this file
C:\windows\system32\21DKnOqS.exe<--Delete this file
C:\documents and settings\kevman\local settings\temp\j.exe<--Delete this file
C:\documents and settings\kevman\local settings\temp\OzGUL.exe<--Delete this file
C:\documents and settings\kevman\local settings\temp\ri.exe<--Delete this file
C:\Documents and Settings\Kevman\Application Data\eetu.exe<--Delete this file
C:\Program Files\eb_Rebates\WebRebates1.exe<--Delete the full folder
C:\WINDOWS\System32\winupdt.exe<--Delete this file
C:\Program Files\BullsEye Network\bin\bargains.exe<--Delete the full folder
C:\Program Files\Web_Rebates\WebRebates0.exe<--Delete the full folder
C:\Program Files\CxtPls\cxtpls.dll<--Delete the full folder
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
C:\WINDOWS\System32\yos.dll<--Delete this file
C:\Program Files\SEP\sep.dll<--Delete this file
C:\Program Files\Middadle\Clicks10017.dll<--Delete the full folder
C:\WINDOWS\System32\msbe.dll<--Delete this file
C:\WINDOWS\System32\omccv.dll<--Delete this file
C:\PROGRA~1\YOURSI~1\ysb.dll<--Delete the full folder
C:\WINDOWS\System32\IEHost.exe<--Delete this file
C:\documents and settings\kevman\local settings\temp\HwKk.exe
C:\WINDOWS\System32\winupdtl.exe<--Delete this file
C:\PROGRA~1\VBouncer\VirtualBouncer.exe<--Delete the full folder
C:\documents and settings\kevman\local settings\temp\5N.exe<--Delete this file
C:\Program Files\ClockSync\Sync.exe /q<--Delete the full folder
sisalsec.exe<--Delete this file
C:\WINDOWS\pon.exe<--Delete this file
C:\Program Files\ISTsvc\istsvc.exe<--Delete the full folder
C:\WINDOWS\System32\atl.exe<--Delete this file
serpx32r.exe<--Delete this file
C:\WINDOWS\zeta.exe<--Delete this file
C:\Program Files\BullsEye Network\bin\bargains.exe<--Delete the full folder

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#4
Wazootyman

Wazootyman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well, that was a fun excursion... I couldn't delete ecru from the add/remove list... so I might still be stuck.

Here's the new log

Logfile of HijackThis v1.99.0
Scan saved at 11:07:24 AM, on 2/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\i42v80a.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Kevman\My Documents\My Downloads\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iz.exe] C:\documents and settings\kevman\local settings\temp\iz.exe
O4 - HKLM\..\Run: [DK2.exe] C:\documents and settings\kevman\local settings\temp\DK2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [omccvc] C:\WINDOWS\System32\omccvc.exe
O4 - HKLM\..\Run: [zMeDu741.exe] C:\documents and settings\kevman\local settings\temp\zMeDu741.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dlM28@]"C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [dlM28]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [u0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [pon] C:\WINDOWS\pon.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [oFEU38X] i42v80a.exe
O4 - HKLM\..\Run: [Ecru.exe] C:\WINDOWS\SYSTEM32\Ecru.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093741012771
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MD Simple Burner Service - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Wazootyman

Please set your system to show all files; see here for how to do this if you're unsure.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:

C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\i42v80a.exe
C:\WINDOWS\tiguoqc.exe


Exit the Task Manager when finished

Add remove program Files uninstall the following

C:\Program Files\TV Media\Tvm.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

O4 - HKLM\..\Run: [iz.exe] C:\documents and settings\kevman\local settings\temp\iz.exe
O4 - HKLM\..\Run: [DK2.exe] C:\documents and settings\kevman\local settings\temp\DK2.exe
O4 - HKLM\..\Run: [omccvc] C:\WINDOWS\System32\omccvc.exe
O4 - HKLM\..\Run: [zMeDu741.exe] C:\documents and settings\kevman\local settings\temp\zMeDu741.exe
O4 - HKLM\..\Run: [dlM28@]"C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [dlM28]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [u0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [pon] C:\WINDOWS\pon.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [oFEU38X] i42v80a.exe
O4 - HKLM\..\Run: [Ecru.exe] C:\WINDOWS\SYSTEM32\Ecru.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\i42v80a.exe
C:\documents and settings\kevman\local settings\temp\iz.exe
C:\documents and settings\kevman\local settings\temp\DK2.exe
C:\WINDOWS\System32\omccvc.exe
C:\documents and settings\kevman\local settings\temp\zMeDu741.exe
C:\WINDOWS\tiguoqc.exe
C:\Program Files\TV Media\Tvm.exe
C:\WINDOWS\pon.exe
i42v80a.exe
C:\WINDOWS\SYSTEM32\Ecru.exe
C:\WINDOWS\tiguoqc.exe


Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

kc :tazz:
  • 0

#6
Wazootyman

Wazootyman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks so much, everything already seems to be running a whole lot better.

Here's the new log

Logfile of HijackThis v1.99.0
Scan saved at 12:57:23 PM, on 2/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Kevman\My Documents\My Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dlM28@]"C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [dlM28]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [u0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093741012771
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldw...jo/wordmojo.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MD Simple Burner Service - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Wazootyman

we have a problem with this malware

O4 - HKLM\..\Run: [dlM28@]"C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [dlM28]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe
O4 - HKLM\..\Run: [u0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tiguoqc.exe

It is blocking HijackThis from removing it from your registery

Have alerted the Experts hope we will have a fix shortly

Please post a HJT.log DAILY i will just keep removing the malware

Kc :tazz:

[edit] As there has been no response from the original poster, this topic is now closed. If you have any other problems, please post a new topic.

Edited by bananafanafo, 15 April 2005 - 11:35 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP