Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 61 Posts

·
Registered
Joined
·
31 Posts
Discussion Starter · #1 ·
A trojan has invaded my computer. I scan for viruses with Stop Sign and think I have gotten rid of things, but still do not have control of my desktop. I am a relative beginner and need to know what to do. Help!!!! :eek:
 

·
Administrator
Joined
·
123,536 Posts
Hi and welcome to TSG,

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

·
Registered
Joined
·
31 Posts
Discussion Starter · #3 ·
Hi. Thanks for the welcome. As you requested, here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 12:01:06 PM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer

provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.local
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {89AEAB46-8E8A-4045-9003-5614BFBFE90B} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program

Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F68D4ACF-5F32-4D00-A9D9-62D849AE0451} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe"

/GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common

Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [obamik] C:\WINNT\system32\uanb.exe
O4 - HKLM\..\Run: [llpnni] C:\WINNT\system32\uxcjqqn.exe
O4 - HKLM\..\Run: [hqhsxgb] C:\WINNT\system32\jclljl.exe
O4 - HKLM\..\Run: [evaepkkr] C:\WINNT\system32\twre.exe
O4 - HKLM\..\Run: [vzystqzu] C:\WINNT\system32\ksdo.exe
O4 - HKLM\..\Run: [onovvr] C:\WINNT\system32\gmywtkp.exe
O4 - HKLM\..\Run: [zucvgax] C:\WINNT\system32\qgept.exe
O4 - HKLM\..\Run: [pmiehpcl] C:\WINNT\system32\lpnavy.exe
O4 - HKLM\..\Run: [hjaqxmz] C:\WINNT\system32\wjasw.exe
O4 - HKLM\..\Run: [evrvlzih] C:\WINNT\system32\wlikoeg.exe
O4 - HKLM\..\Run: [ysdjzv] C:\WINNT\system32\hfncow.exe
O4 - HKLM\..\Run: [jwnn] C:\WINNT\system32\ghmwhm.exe
O4 - HKLM\..\Run: [frdkvfk] C:\WINNT\system32\jbsg.exe
O4 - HKLM\..\Run: [wyrmlrom] C:\WINNT\system32\jmvttctf.exe
O4 - HKLM\..\Run: [neqewrf] C:\WINNT\system32\toiluud.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [StopSignSsTsMon] "Rundll32.exe" "C:\Program Files\Acceleration

Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b

Startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe"

/startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [wqunmbb] C:\WINNT\system32\wtagztkm.exe k:wqunmbb:
O4 - HKCU\..\Run: [bdmx] C:\WINNT\system32\vrxis.exe k:bdmx:
O4 - HKCU\..\Run: [nenfb] C:\WINNT\system32\dndomf.exe k:nenfb:
O4 - HKCU\..\Run: [wvtg] C:\WINNT\system32\awey.exe k:wvtg:
O4 - HKCU\..\Run: [lfblnsz] C:\WINNT\system32\qtnf.exe k:lfblnsz:
O4 - HKCU\..\Run: [msoxkct] C:\WINNT\system32\mcppyck.exe k:msoxkct:
O4 - HKCU\..\Run: [eifgms] C:\WINNT\system32\uhdx.exe k:eifgms:
O4 - HKCU\..\Run: [ebpccf] C:\WINNT\system32\hewaz.exe k:ebpccf:
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [CrazyCoinsSetup.exe] C:\DOWNLO~1\CRAZYC~1.EXE /r
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare

software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software

Updater\7288971\Program\Kodak Software Updater.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} -

http://eztracks.aavalue.com/EZT/Toolbar/eztdl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

http://software-dl.real.com/20353b12d9bcf3bf0218/netzip/RdxIE6.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) -

https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/opnste/UCSearch.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -

c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINNT\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software,

Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 

·
Administrator
Joined
·
123,536 Posts
Download AVG Anti-Spyware from HERE and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.

  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
  4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
  1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
  2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG will now begin the scanning process. Please be patient as this may take a little time.
    Once the scan is complete, do the following:
  5. If you have any infections you will be prompted. Then select "Apply all actions."
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
  8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go HERE to run Panda's ActiveScan
  • You need to use IE to run this scan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.

When you post your next log please be sure "word wrap" is turned off under "Format" in Notepad.
 

·
Registered
Joined
·
31 Posts
Discussion Starter · #5 ·
Downloaded and ran AVG Anti-Spyware. Here is the report:

C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP744\A0057565.exe -> Adware.180Solutions : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP744\A0057747.dll -> Adware.EliteBar : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP746\A0058055.dll -> Adware.EZula : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F68D4ACF-5F32-4D00-A9D9-62D849AE0451} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-339624541-3249391055-4049010538-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F68D4ACF-5F32-4D00-A9D9-62D849AE0451} -> Adware.Generic : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP746\A0058054.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP744\A0057460.dll -> Adware.SearchAssistant : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP744\A0057461.dll -> Adware.SearchAssistant : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP744\A0057748.exe -> Adware.SpyOnThis : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP744\A0057749.exe -> Adware.SpyOnThis : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP744\A0057850.exe -> Adware.Trymedia : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP746\A0058058.dll -> Adware.WinLocator : Cleaned.
C:\WINNT\system32\winlocatorhelper.dll -> Adware.WinLocator : Cleaned.
C:\WINNT\PornStars.exe -> Dialer.AsianRaw.bm : Cleaned.
C:\WINNT\Downloaded Program Files\tetra.dll -> Downloader.Wren.e : Cleaned.
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-51cccb7c-5cd357f6.class -> Hijacker.Spywad.b : Cleaned.
C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned.
C:\WINNT\Downloaded Program Files\CONFLICT.1\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP744\A0057471.exe -> Trojan.Agent.rx : Cleaned.

::Report end

Here is the new Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 3:23:33 PM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {89AEAB46-8E8A-4045-9003-5614BFBFE90B} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [obamik] C:\WINNT\system32\uanb.exe
O4 - HKLM\..\Run: [llpnni] C:\WINNT\system32\uxcjqqn.exe
O4 - HKLM\..\Run: [hqhsxgb] C:\WINNT\system32\jclljl.exe
O4 - HKLM\..\Run: [evaepkkr] C:\WINNT\system32\twre.exe
O4 - HKLM\..\Run: [vzystqzu] C:\WINNT\system32\ksdo.exe
O4 - HKLM\..\Run: [onovvr] C:\WINNT\system32\gmywtkp.exe
O4 - HKLM\..\Run: [zucvgax] C:\WINNT\system32\qgept.exe
O4 - HKLM\..\Run: [pmiehpcl] C:\WINNT\system32\lpnavy.exe
O4 - HKLM\..\Run: [hjaqxmz] C:\WINNT\system32\wjasw.exe
O4 - HKLM\..\Run: [evrvlzih] C:\WINNT\system32\wlikoeg.exe
O4 - HKLM\..\Run: [ysdjzv] C:\WINNT\system32\hfncow.exe
O4 - HKLM\..\Run: [jwnn] C:\WINNT\system32\ghmwhm.exe
O4 - HKLM\..\Run: [frdkvfk] C:\WINNT\system32\jbsg.exe
O4 - HKLM\..\Run: [wyrmlrom] C:\WINNT\system32\jmvttctf.exe
O4 - HKLM\..\Run: [neqewrf] C:\WINNT\system32\toiluud.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StopSignSsTsMon] "Rundll32.exe" "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [wqunmbb] C:\WINNT\system32\wtagztkm.exe k:wqunmbb:
O4 - HKCU\..\Run: [bdmx] C:\WINNT\system32\vrxis.exe k:bdmx:
O4 - HKCU\..\Run: [nenfb] C:\WINNT\system32\dndomf.exe k:nenfb:
O4 - HKCU\..\Run: [wvtg] C:\WINNT\system32\awey.exe k:wvtg:
O4 - HKCU\..\Run: [lfblnsz] C:\WINNT\system32\qtnf.exe k:lfblnsz:
O4 - HKCU\..\Run: [msoxkct] C:\WINNT\system32\mcppyck.exe k:msoxkct:
O4 - HKCU\..\Run: [eifgms] C:\WINNT\system32\uhdx.exe k:eifgms:
O4 - HKCU\..\Run: [ebpccf] C:\WINNT\system32\hewaz.exe k:ebpccf:
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [CrazyCoinsSetup.exe] C:\DOWNLO~1\CRAZYC~1.EXE /r
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://eztracks.aavalue.com/EZT/Toolbar/eztdl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20353b12d9bcf3bf0218/netzip/RdxIE6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/opnste/UCSearch.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I downloaded and tried to run Panda's ActiveScan. I thought it was doing it, but when download was complete, it kept giving me an error on page message when I clicked on MY Computer.
 

·
Registered
Joined
·
31 Posts
Discussion Starter · #9 ·
I can't access the site you recommended yet. I'll try a little later. Here is what it tells me:

Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

What you can try:
Check your Internet connection. Try visiting another website to make sure you are connected.

Retype the address.

Go back to the previous page.

More information
 

·
Administrator
Joined
·
123,536 Posts
I just found out that site is down so let's try this one:

Download RootkitRevealer from here (link is at the very bottom of the page).
  • Unzip it to your desktop.
  • Open the RootkitRevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File - Save. Choose to save it to your desktop.
  • Open RootkitRevealer.txt on your desktop and copy the entire contents and paste them here.
 

·
Registered
Joined
·
31 Posts
Discussion Starter · #11 ·
Here is the report from RootkitRevealer.


HKLM\SECURITY\Policy\Secrets\SAC* 10/6/2003 12:46 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 10/6/2003 12:46 PM 0 bytes Key name contains embedded nulls (*)
C:\WINNT\system32\spool\PRINTERS\FP00000.SHD 12/24/2006 12:29 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINNT\system32\spool\PRINTERS\FP00000.SPL 12/24/2006 12:29 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
 

·
Administrator
Joined
·
123,536 Posts
Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

Go to Control Panel - Add/Remove programs and remove:

Acceleration Software
eAcceleration


Click Here and download Killbox and save it to your desktop but don’t run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {89AEAB46-8E8A-4045-9003-5614BFBFE90B} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [obamik] C:\WINNT\system32\uanb.exe

O4 - HKLM\..\Run: [llpnni] C:\WINNT\system32\uxcjqqn.exe

O4 - HKLM\..\Run: [hqhsxgb] C:\WINNT\system32\jclljl.exe

O4 - HKLM\..\Run: [evaepkkr] C:\WINNT\system32\twre.exe

O4 - HKLM\..\Run: [vzystqzu] C:\WINNT\system32\ksdo.exe

O4 - HKLM\..\Run: [onovvr] C:\WINNT\system32\gmywtkp.exe

O4 - HKLM\..\Run: [zucvgax] C:\WINNT\system32\qgept.exe

O4 - HKLM\..\Run: [pmiehpcl] C:\WINNT\system32\lpnavy.exe

O4 - HKLM\..\Run: [hjaqxmz] C:\WINNT\system32\wjasw.exe

O4 - HKLM\..\Run: [evrvlzih] C:\WINNT\system32\wlikoeg.exe

O4 - HKLM\..\Run: [ysdjzv] C:\WINNT\system32\hfncow.exe

O4 - HKLM\..\Run: [jwnn] C:\WINNT\system32\ghmwhm.exe

O4 - HKLM\..\Run: [frdkvfk] C:\WINNT\system32\jbsg.exe

O4 - HKLM\..\Run: [wyrmlrom] C:\WINNT\system32\jmvttctf.exe

O4 - HKLM\..\Run: [neqewrf] C:\WINNT\system32\toiluud.exe

O4 - HKLM\..\Run: [StopSignSsTsMon] "Rundll32.exe" "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus

O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k

O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup

O4 - HKCU\..\Run: [wqunmbb] C:\WINNT\system32\wtagztkm.exe k:wqunmbb:

O4 - HKCU\..\Run: [bdmx] C:\WINNT\system32\vrxis.exe k:bdmx:

O4 - HKCU\..\Run: [nenfb] C:\WINNT\system32\dndomf.exe k:nenfb:

O4 - HKCU\..\Run: [wvtg] C:\WINNT\system32\awey.exe k:wvtg:

O4 - HKCU\..\Run: [lfblnsz] C:\WINNT\system32\qtnf.exe k:lfblnsz:

O4 - HKCU\..\Run: [msoxkct] C:\WINNT\system32\mcppyck.exe k:msoxkct:

O4 - HKCU\..\Run: [eifgms] C:\WINNT\system32\uhdx.exe k:eifgms:

O4 - HKCU\..\Run: [ebpccf] C:\WINNT\system32\hewaz.exe k:ebpccf:

O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://eztracks.aavalue.com/EZT/Toolbar/eztdl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/20353b12...zip/RdxIE6.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab

O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/opnste/UCSearch.CAB



Then boot to safe mode:

How to restart to safe mode

Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    c:\winnt\Hot_xxx.exe
    c:\temp\FLEOK
    c:\program files\Aveo
    C:\WINNT\system32\uanb.exe
    C:\WINNT\system32\uxcjqqn.exe
    C:\WINNT\system32\jclljl.exe
    C:\WINNT\system32\twre.exe
    C:\WINNT\system32\ksdo.exe
    C:\WINNT\system32\gmywtkp.exe
    C:\WINNT\system32\qgept.exe
    C:\WINNT\system32\lpnavy.exe
    C:\WINNT\system32\wjasw.exe
    C:\WINNT\system32\wlikoeg.exe
    C:\WINNT\system32\hfncow.exe
    C:\WINNT\system32\ghmwhm.exe
    C:\WINNT\system32\jbsg.exe
    C:\WINNT\system32\jmvttctf.exe
    C:\WINNT\system32\toiluud.exe
    C:\WINNT\system32\wtagztkm.exe
    C:\WINNT\system32\vrxis.exe
    C:\WINNT\system32\dndomf.exe
    C:\WINNT\system32\awey.exe
    C:\WINNT\system32\qtnf.exe
    C:\WINNT\system32\mcppyck.exe:
    C:\WINNT\system32\uhdx.exe
    C:\WINNT\system32\hewaz.exe

  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confirmation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Next in Killbox go to Tools > Delete Temp Files
  • In the window that pops up, put a check by ALL the options there except these three:
    • XP Prefetch
    • Recent
    • History
  • Now click the Delete Selected Temp Files button.
  • Exit the Killbox.

Boot back to Windows normally,

Please download AboutBuster.
  • Double click the AboutBuster folder, then double click the AboutBuster.exe inside.
  • Click "Extract all" in the box that pops up, then "Next"
  • Choose the location you would like to install AboutBuster, such as My Documents.
  • Make sure "Show extracted files" is checked, then click "Finish".
  • Reboot to safe mode by continually tapping the F8 key as the computer begins to boot.
  • Open AboutBuster and click the "Begin Removal" button. It will shut down all Explorer windows (if open) while it works.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
  • Run about:buster again following the same instructions as above, this time without the restart at the end

Post another HijackThis log please along with the log from AboutBuster and a new Panda scan log as there will be more files to delete but the list should be shorter.
 

·
Registered
Joined
·
31 Posts
Discussion Starter · #13 ·
Acceleration Software (Stop Sign) is my antivirus program. I downloaded SpySweeper when I was trying by myself to rid computer of little nasties.

So, do I just disable it as well as SpySweeper and follow your instructions?
 

·
Administrator
Joined
·
123,536 Posts
If you're paying, then I would recommend Nod32 or Kaspersky which are two of the best.

You need to uninstall Norton via the Control Panel and StopSign as well before installing the new one.


You only need to disable SpySweeper before carrying out my previous instructions.
 

·
Registered
Joined
·
31 Posts
Discussion Starter · #18 ·
I have attached the Hijack This log and Panda scan.

AboutBuster scan :

AboutBuster 6.05
Scan started on [12/26/2006] at [2:35:33 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:38:08 PM
 

Attachments

·
Administrator
Joined
·
123,536 Posts
Boot to safe mode and run Killbox on these files:

c:\winnt\pcconfig.dat
C:\WINNT\system32\aclwqrl.exe
C:\WINNT\system32\aejvau.exe
C:\WINNT\system32\aerdffh.exe
C:\WINNT\system32\ajlw.exe
C:\WINNT\system32\atotinir.exe
C:\WINNT\system32\auwfbjkl.exe
C:\WINNT\system32\bcqaivj.exe
C:\WINNT\system32\bkvgano.exe
C:\WINNT\system32\bnocow.exe
C:\WINNT\system32\bpfo.exe
C:\WINNT\system32\brvpvid.exe
C:\WINNT\system32\bwzf.exe
C:\WINNT\system32\cewhxk.exe
C:\WINNT\system32\czgskqdk.exe
C:\WINNT\system32\dcmj.exe
C:\WINNT\system32\dfyon.exe
C:\WINNT\system32\dglwgaby.exe
C:\WINNT\system32\dmnuiffc.exe
C:\WINNT\system32\drvtff.exe
C:\WINNT\system32\dyvblvub.exe
C:\WINNT\system32\efch.exe
C:\WINNT\system32\efvwlnur.exe
C:\WINNT\system32\egcomservice_1047.dll._eac_qt_
C:\WINNT\system32\ejpzi.exe
C:\WINNT\system32\elqmiu.exe
C:\WINNT\system32\erexdk.exe
C:\WINNT\system32\erzwelpd.exe
C:\WINNT\system32\evpiy.exe
C:\WINNT\system32\evxksy.exe
C:\WINNT\system32\fceqqd.exe
C:\WINNT\system32\fftbenhf.exe
C:\WINNT\system32\fila.exe
C:\WINNT\system32\fncbdsmt.exe
C:\WINNT\system32\frqxeu.exe
C:\WINNT\system32\fuflkft.exe
C:\WINNT\system32\fugm.exe
C:\WINNT\system32\fuhbi.exe
C:\WINNT\system32\fuqtv.exe
C:\WINNT\system32\fzsz.exe
C:\WINNT\system32\ghnvbr.exe
C:\WINNT\system32\gilmdqm.exe
C:\WINNT\system32\gwlgp.exe
C:\WINNT\system32\gzwz.exe
C:\WINNT\system32\hbznp.exe
C:\WINNT\system32\hfth.exe
C:\WINNT\system32\hjxsk.exe
C:\WINNT\system32\hmwvh.exe
C:\WINNT\system32\hsswz.exe
C:\WINNT\system32\hxzjl.exe
C:\WINNT\system32\icqqrwx.exe
C:\WINNT\system32\iehf.exe
C:\WINNT\system32\igwqnfx.exe
C:\WINNT\system32\iwwyjrt.exe
C:\WINNT\system32\ixgkw.exe
C:\WINNT\system32\ixsn.exe
C:\WINNT\system32\iyhh.exe
C:\WINNT\system32\jhxgn.exe
C:\WINNT\system32\jkec.exe
C:\WINNT\system32\jqzbmo.exe
C:\WINNT\system32\jsagi.exe
C:\WINNT\system32\jxzwy.exe
C:\WINNT\system32\ksyuwlm.exe
C:\WINNT\system32\laapo.exe
C:\WINNT\system32\laqwcxkl.exe
C:\WINNT\system32\lgnpcya.exe
C:\WINNT\system32\llhfrp.exe
C:\WINNT\system32\lljx.exe
C:\WINNT\system32\lltik.exe
C:\WINNT\system32\lqgmaet.exe
C:\WINNT\system32\mddtqwp.exe
C:\WINNT\system32\mkedos.exe
C:\WINNT\system32\mmcskhrp.exe
C:\WINNT\system32\mtkcflm.exe
C:\WINNT\system32\mubwvd.exe
C:\WINNT\system32\muduqk.exe
C:\WINNT\system32\mvlwoxau.exe
C:\WINNT\system32\ndrsml.exe
C:\WINNT\system32\nfzxhzw.exe
C:\WINNT\system32\nylmkqju.exe
C:\WINNT\system32\occmaxuw.exe
C:\WINNT\system32\ojlyunu.exe
C:\WINNT\system32\okopjbc.exe
C:\WINNT\system32\oksx.exe
C:\WINNT\system32\omgxnte.exe
C:\WINNT\system32\omnt.exe
C:\WINNT\system32\opfu.exe
C:\WINNT\system32\osydir.exe
C:\WINNT\system32\othknjrc.exe
C:\WINNT\system32\oyxf.exe
C:\WINNT\system32\ozsst.exe
C:\WINNT\system32\pdshjyr.exe
C:\WINNT\system32\pegjk.exe
C:\WINNT\system32\pelimqvi.exe
C:\WINNT\system32\phqtyqix.exe
C:\WINNT\system32\pjnb.exe
C:\WINNT\system32\pogh.exe
C:\WINNT\system32\pqanq.exe
C:\WINNT\system32\qkkzum.exe
C:\WINNT\system32\qkxlwjqy.exe
C:\WINNT\system32\qqci.exe
C:\WINNT\system32\qxtnvlk.exe
C:\WINNT\system32\qzmtd.exe
C:\WINNT\system32\rcaruved.exe
C:\WINNT\system32\rgtpntnx.exe
C:\WINNT\system32\rirs.exe
C:\WINNT\system32\rokhii.exe
C:\WINNT\system32\rtuk.exe
C:\WINNT\system32\rzpmbrm.exe
C:\WINNT\system32\saxvmg.exe
C:\WINNT\system32\sija.exe
C:\WINNT\system32\sikzu.exe
C:\WINNT\system32\snzgh.exe
C:\WINNT\system32\spbsf.exe
C:\WINNT\system32\stfpy.exe
C:\WINNT\system32\sveogmzn.exe
C:\WINNT\system32\szpw.exe
C:\WINNT\system32\tfzega.exe
C:\WINNT\system32\tghdo.exe
C:\WINNT\system32\tgkah.exe
C:\WINNT\system32\thibfrv.exe
C:\WINNT\system32\tijdqrg.exe
C:\WINNT\system32\tmdbojvw.exe
C:\WINNT\system32\tpkwu.exe
C:\WINNT\system32\tymcsen.exe
C:\WINNT\system32\tztw.exe
C:\WINNT\system32\ufvtq.exe
C:\WINNT\system32\unalh.exe
C:\WINNT\system32\upbtdcqo.exe
C:\WINNT\system32\uptm.exe
C:\WINNT\system32\upvu.exe
C:\WINNT\system32\uqtd.exe
C:\WINNT\system32\utlmg.exe
C:\WINNT\system32\uwli.exe
C:\WINNT\system32\vgcevks.exe
C:\WINNT\system32\vhjggc.exe
C:\WINNT\system32\vkcmuy.exe
C:\WINNT\system32\vlzxnkp.exe
C:\WINNT\system32\vmfkbp.exe
C:\WINNT\system32\vugdfbgv.exe
C:\WINNT\system32\vvoisid.exe
C:\WINNT\system32\warw.exe
C:\WINNT\system32\wayvdzv.exe
C:\WINNT\system32\wecw.exe
C:\WINNT\system32\wfuxom.exe
C:\WINNT\system32\wgzettz.exe
C:\WINNT\system32\wkfh.exe
C:\WINNT\system32\wlnggejc.exe
C:\WINNT\system32\wndjxwd.exe
C:\WINNT\system32\wqzejcoi.exe
C:\WINNT\system32\wsgnnctu.exe
C:\WINNT\system32\wvmruslh.exe
C:\WINNT\system32\wwwh.exe
C:\WINNT\system32\wxnmlp.exe
C:\WINNT\system32\xshscw.exe
C:\WINNT\system32\xsonw.exe
C:\WINNT\system32\xwlcga.exe
C:\WINNT\system32\ycbkv.exe
C:\WINNT\system32\ycccec.exe
C:\WINNT\system32\yebjcl.exe
C:\WINNT\system32\ygbobc.exe
C:\WINNT\system32\yhziq.exe
C:\WINNT\system32\yuic.exe
C:\WINNT\system32\yxwgdoe.exe
C:\WINNT\system32\zbrceh.exe
C:\WINNT\system32\zcvpd.exe
C:\WINNT\system32\zdsajxx.exe
C:\WINNT\system32\zekppjn.exe
C:\WINNT\system32\zfuvvur.exe
C:\WINNT\system32\zkzminzf.exe
C:\WINNT\system32\zlxyqu.exe
C:\WINNT\system32\zmgsjcnk.exe
C:\WINNT\system32\zxejwwiu.exe

Also, we can get GMER at another site now so please do this:

Download GMER from:

http://www.majorgeeks.com/download.php?det=5198

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.
 
1 - 20 of 61 Posts
Status
Not open for further replies.
Top