[Perfect Alibi]

Volume in drive C has no label.
Volume Serial Number is F8B9-131D

Directory of C:\WINDOWS\System32


Directory of C:\Documents and Settings\Hum\Desktop

[Advertisements]

but with norton, i have it but i don't use it because we had a trial version when we first got our desktop. but from time to time it always ask me to renew the subscription

[Perfect Alibi]

but with norton, i have it but i don't use it because we had a trial version when we first got our desktop. but from time to time it always ask me to renew the subscription

[Excal]

More than likely some of these files/folders and add/remove programs won't be in there, just move onto the next one.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [ybdzik] C:\WINDOWS\System32\jbzvvhk.exe
O4 - HKLM\..\Run: [wrzylhpxigf] C:\WINDOWS\System32\jbzvvhk.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Windows Update Files] C:\Program Files\microsoft hardware\dnetc.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Hum\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [msbb] c:\program files\internet optimizer\sim\msbb.exe
O4 - HKLM\..\Run: [Moauxkn] C:\Program Files\Xoec\Pnex.exe
O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\KaZaA\My Shared Folder\AolPassHack.exe
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [inetgt] C:\WINDOWS\inetgt.exe
O4 - HKLM\..\Run: [fnyxzoe] C:\WINDOWS\System32\uhqgbl.exe r
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt mt
O4 - HKCU\..\Run: [Bdurqsp] C:\WINDOWS\SYSTEM32\?ecurity\w?nspool.exe
O4 - HKCU\..\Run: [zurw] C:\PROGRA~1\COMMON~1\zurw\zurwm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Des] C:\WINDOWS\System32\r?gedit.exe
O4 - HKCU\..\Run: [ContextUninstall] C:\WINDOWS\STUninstall.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

7. click the Fix Checked box

8. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Please note any other programs that you dont recognize in that list in your next response

WhenUSearch
KaZaA
WhenUSave
WebRebates
TV Media
TBPS
WinTools
internet optimizer
MediaLoads

9. Please remove the following folders using Windows Explorer (if present):

C:\WINDOWS\System32\P2P Networking
C:\Program Files\microsoft hardware
C:\Program Files\rdso
C:\Program Files\WhenUSearch
C:\PROGRAM FILES\Save
C:\Program Files\Web_Rebates
C:\Program Files\TV Media
C:\PROGRAM FILES\Toolbar
C:\Program Files\se
c:\program files\internet optimizer
C:\Program Files\Xoec
C:\Program Files\DownloadWare
C:\Program Files\Kazaa
C:\PROGRAM FILES\COMMON FILES\WinTools
C:\PROGRAM FILES\COMMON FILES\zurw
C:\Program Files\Common Files\CMEII
C:\Program Files\Common files\updmgr

10. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\jbzvvhk.exe
C:\WINDOWS\System32\uhqgbl.exe
C:\WINDOWS\alchem.exe
C:\WINDOWS\inetgt.exe
C:\WINDOWS\STUninstall.exe

11. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

[Perfect Alibi]

i did everything up until No.9 the only two that wern't checked was both No.023 , cause they wern't on the hijack llist.

with the add/remover programs didn't see any of the thing you asked for. but i did see some things that i didn't recognize like:

ATI display driver
BMSE dbl
i have 2, "Software Update Manager"
System Alert Popup
TSA
RON Display
SE Assistant
SE Help
Search Aid
Search Function
Context Display
IE Help
IEC system
LiveReg (Symantec Cororation
Lice Update1.80 (Symantec Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0
URL Display
Windows Installer 3.1 (KB893803)
WSME Update

9. Please remove the following folders using Windows Explorer (if present):
i don't know how to use the windows explorer and when you say "remove " do you want me to navigate there and delete it? same question goes for No.10

[Excal]

all these can be added to the add/remove list: (make a note on which ones you can remove in the uninstall list, and we will get those later)

BMSE dbl
Software Update Manager
System Alert Popup
TSA
RON Display
SE Assistant
SE Help
Search Aid
Search Function
Context Display
IE Help
IEC system
LiveReg (Symantec Cororation
Lice Update1.80 (Symantec Corporation)


Go to start, then my computer, then C: drive. then navigate to those folders and delete the whole folders, same with the files......does that help?



Excal

[Perfect Alibi]

i did all that i can do by the dirsection. but where do i get the atf cleanr? and eveything after that?

[Excal]

sigh....lol, its been one of those days, sorry about that.

go ahead and reboot into normal mode, run atf cleaner, then run the active scan.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.





Excal

[Perfect Alibi]

when i run the panda scan, it tell me i need to download the ActiveX and install. should i do so??

[Perfect Alibi]

nevermind that post because i downloaded it. it did the scan and when it got to the part where it ask meto choose something to scan , i choose "my computer" but then says there's an error on the page

[Excal]

Try this one


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

[Perfect Alibi]

first i want to say i really appreciate the help. i ran the F secure scan, but when i got to the second part about the cleaning it gets hung up. please help!

[Perfect Alibi]

would it be any help if i told you i have the "reinstallation CD" along wiith a "drivers and utilities" for my desktop .i also have "PC -cillin Antivirus11" & "Webroot Spy Sweeper" that i bought when i purchased my laptop. Will any of these help. i didn't want to put anything in, before i took everything out.

[Perfect Alibi]

Logfile of HijackThis v1.99.1
Scan saved at 2:28:49 PM, on 1/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HUM\Local Settings\Temporary Internet Files\Content.IE5\U2M4NY2X\HijackThis[1].exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

[Excal]

I am not really worried about the scan, but I think I am going to have you do a scan disc, some of your files may have been damged by the malware.

Can you repost the HJT, looks like you missed part of it.






Excal

[Perfect Alibi]

Logfile of HijackThis v1.99.1
Scan saved at 3:50:53 PM, on 1/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HUM\Desktop\HijackThis.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe





This is my whole hijack log.