Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need Your Help With This...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need Your Help With This...

Unread postby theglobal » May 7th, 2005, 7:11 pm

Hi Chris... I would appreciate your thought on this... it looks like a pretty good mess.

Mike

Logfile of HijackThis v1.99.1
Scan saved at 4:57:56 PM, on 5/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\System32\cufmyo\euuofbm.exe
C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\BLEHSIGN\sizespamseek.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Qexyfkt\Erllkl.exe
C:\WINDOWS\System32\ivpnmz.exe
C:\WINDOWS\System32\scrsvc.exe
C:\WINDOWS\system32\msgm32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\wknky\ikrph.exe
C:\WINDOWS\System32\jvtclcn\lxskf.exe
C:\WINDOWS\System32\hleokaqi\bphc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\System32\yiarby\quxi.exe
C:\WINDOWS\System32\ufcqrlx\rrfys.exe
C:\WINDOWS\System32\pddchqk\efsporxu.exe
C:\WINDOWS\System32\mjena\kwrm.exe
C:\WINDOWS\System32\eoipxho\xciqivkg.exe
C:\WINDOWS\System32\omjolexe\ewkqtu.exe
C:\WINDOWS\System32\icjh\hugkddi.exe
C:\WINDOWS\System32\xvmjmogp\hbxghue.exe
C:\WINDOWS\System32\girs\kefvmq.exe
C:\WINDOWS\System32\xykekjhn\clxcfqil.exe
C:\WINDOWS\System32\oxnpa\xhdbx.exe
C:\WINDOWS\System32\hunus\swqo.exe
C:\WINDOWS\System32\ojtmcbrq\vlhr.exe
C:\WINDOWS\System32\ugxxu\abcyksxb.exe
C:\WINDOWS\System32\iwutabvo\ouuuurh.exe
C:\WINDOWS\System32\qxuhl\fhdbxlhu.exe
C:\WINDOWS\System32\hvbm\ygpa.exe
C:\WINDOWS\System32\nkipqae\qklukmgk.exe
C:\WINDOWS\system\krxf.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\gyhxprxy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
c:\windows\system32\xhaqhmp.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\netun.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gpoav.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpoav.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gpoav.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gpoav.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpoav.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gpoav.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Class - {538EEB8F-48F3-4823-CA19-09ED9EFBD83E} - C:\WINDOWS\iebr.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [s] C:\WINDOWS\System32\qiidre.exe
O4 - HKLM\..\Run: [THIS SETTINGS] C:\PROGRA~1\BLEHSIGN\sizespamseek.exe
O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKLM\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKLM\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
O4 - HKLM\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
O4 - HKLM\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
O4 - HKLM\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
O4 - HKLM\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
O4 - HKLM\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
O4 - HKLM\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
O4 - HKLM\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
O4 - HKLM\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
O4 - HKLM\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
O4 - HKLM\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
O4 - HKLM\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
O4 - HKLM\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
O4 - HKLM\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
O4 - HKLM\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
O4 - HKLM\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
O4 - HKLM\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
O4 - HKLM\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
O4 - HKLM\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
O4 - HKLM\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<Head>
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKLM\..\Run: [eA0HXAUx] C:\PROGRA~1\rvrtxr\uxvuwu.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Ytfjgal] C:\Program Files\Qexyfkt\Erllkl.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [aiat] C:\WINDOWS\System32\rmjwq\aiat.exe
O4 - HKLM\..\Run: [cgeap] C:\WINDOWS\System32\epfc\cgeap.exe
O4 - HKLM\..\Run: [xglshwp] C:\WINDOWS\System32\egtvms\xglshwp.exe
O4 - HKLM\..\Run: [hshnin] C:\DOCUME~1\Owner\LOCALS~1\Temp\kdfkqs.exe
O4 - HKLM\..\Run: [gnjap] C:\WINDOWS\System32\jnvnbgm\gnjap.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [AutoLoader3FwG1OWgKZaU] "C:\WINDOWS\System32\shlppdll.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteuzw32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ivpnmz.exe
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [msgm32.exe] C:\WINDOWS\system32\msgm32.exe
O4 - HKLM\..\Run: [basuo] C:\WINDOWS\System32\pmywha\basuo.exe
O4 - HKLM\..\Run: [fockh] C:\WINDOWS\System32\cbmet\fockh.exe
O4 - HKLM\..\Run: [oqvhuc] C:\WINDOWS\System32\oqleuyht\oqvhuc.exe
O4 - HKLM\..\Run: [iwdj] C:\WINDOWS\System32\vsxka\iwdj.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nhyxjaij] C:\WINDOWS\System32\nghxaki\nhyxjaij.exe
O4 - HKLM\..\Run: [mhthgd] C:\WINDOWS\System32\knpp\mhthgd.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\hsjjydx.exe
O4 - HKLM\..\Run: [ikrph] C:\WINDOWS\System32\wknky\ikrph.exe
O4 - HKLM\..\Run: [pupe] C:\WINDOWS\System32\ryiqupvj\pupe.exe
O4 - HKLM\..\Run: [yyaxgmh] C:\WINDOWS\System32\fjje\yyaxgmh.exe
O4 - HKLM\..\Run: [fydee] C:\WINDOWS\System32\mokewqej\fydee.exe
O4 - HKLM\..\Run: [lecbg] C:\WINDOWS\System32\unobi\lecbg.exe
O4 - HKLM\..\Run: [bphc] C:\WINDOWS\System32\hleokaqi\bphc.exe
O4 - HKLM\..\Run: [mihg] C:\WINDOWS\System32\oxvj\mihg.exe
O4 - HKLM\..\Run: [qmaknd] C:\WINDOWS\System32\dlpkf\qmaknd.exe
O4 - HKLM\..\Run: [sjuadsi] C:\WINDOWS\System32\littnik\sjuadsi.exe
O4 - HKLM\..\Run: [ihojjxce] C:\WINDOWS\System32\jlsiq\ihojjxce.exe
O4 - HKLM\..\Run: [qmmcw] C:\WINDOWS\System32\bbsgmgq\qmmcw.exe
O4 - HKLM\..\Run: [vgltjeme] c:\windows\system32\vgltjeme.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [suvoacns] C:\WINDOWS\System32\sftuej\suvoacns.exe
O4 - HKLM\..\Run: [tmsdbf] C:\WINDOWS\System32\ckevux\tmsdbf.exe
O4 - HKLM\..\Run: [updimqc] C:\WINDOWS\System32\ytjggmcp\updimqc.exe
O4 - HKLM\..\Run: [fjbutm] C:\WINDOWS\System32\bajwlanx\fjbutm.exe
O4 - HKLM\..\Run: [scyienvw] C:\WINDOWS\System32\hxvora\scyienvw.exe
O4 - HKLM\..\Run: [rrfys] C:\WINDOWS\System32\ufcqrlx\rrfys.exe
O4 - HKLM\..\Run: [efsporxu] C:\WINDOWS\System32\pddchqk\efsporxu.exe
O4 - HKLM\..\Run: [kwrm] C:\WINDOWS\System32\mjena\kwrm.exe
O4 - HKLM\..\Run: [xciqivkg] C:\WINDOWS\System32\eoipxho\xciqivkg.exe
O4 - HKLM\..\Run: [ycwkbl] C:\WINDOWS\System32\brvpieg\ycwkbl.exe
O4 - HKLM\..\Run: [vburf] C:\WINDOWS\System32\ghttvrl\vburf.exe
O4 - HKLM\..\Run: [qapty] C:\WINDOWS\System32\hiahu\qapty.exe
O4 - HKLM\..\Run: [vdmo] C:\WINDOWS\System32\inbn\vdmo.exe
O4 - HKLM\..\Run: [swmc] C:\WINDOWS\System32\bqtg\swmc.exe
O4 - HKLM\..\Run: [vemhon] C:\WINDOWS\System32\fvwnrh\vemhon.exe
O4 - HKLM\..\Run: [hugkddi] C:\WINDOWS\System32\icjh\hugkddi.exe
O4 - HKLM\..\Run: [hbxghue] C:\WINDOWS\System32\xvmjmogp\hbxghue.exe
O4 - HKLM\..\Run: [kefvmq] C:\WINDOWS\System32\girs\kefvmq.exe
O4 - HKLM\..\Run: [clxcfqil] C:\WINDOWS\System32\xykekjhn\clxcfqil.exe
O4 - HKLM\..\Run: [xhdbx] C:\WINDOWS\System32\oxnpa\xhdbx.exe
O4 - HKLM\..\Run: [swqo] C:\WINDOWS\System32\hunus\swqo.exe
O4 - HKLM\..\Run: [G3] C:\WINDOWS\System32\GSMedia3.exe
O4 - HKLM\..\Run: [rfacgyn] C:\WINDOWS\System32\dcanmapm\rfacgyn.exe
O4 - HKLM\..\Run: [pisgn] C:\WINDOWS\System32\egrmglfb\pisgn.exe
O4 - HKLM\..\Run: [abcyksxb] C:\WINDOWS\System32\ugxxu\abcyksxb.exe
O4 - HKLM\..\Run: [ouuuurh] C:\WINDOWS\System32\iwutabvo\ouuuurh.exe
O4 - HKLM\..\Run: [fhdbxlhu] C:\WINDOWS\System32\qxuhl\fhdbxlhu.exe
O4 - HKLM\..\Run: [ygpa] C:\WINDOWS\System32\hvbm\ygpa.exe
O4 - HKLM\..\Run: [sxvwkt] C:\WINDOWS\System32\rgcmlusq\sxvwkt.exe
O4 - HKLM\..\Run: [qklukmgk] C:\WINDOWS\System32\nkipqae\qklukmgk.exe
O4 - HKLM\..\Run: [kkyumfc] C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe
O4 - HKLM\..\Run: [euuofbm] C:\WINDOWS\System32\cufmyo\euuofbm.exe
O4 - HKLM\..\Run: [quxi] C:\WINDOWS\System32\yiarby\quxi.exe
O4 - HKLM\..\Run: [lxskf] C:\WINDOWS\System32\jvtclcn\lxskf.exe
O4 - HKLM\..\Run: [vlhr] C:\WINDOWS\System32\ojtmcbrq\vlhr.exe
O4 - HKLM\..\Run: [eyjct] C:\WINDOWS\System32\jqatps\eyjct.exe
O4 - HKLM\..\Run: [ewkqtu] C:\WINDOWS\System32\omjolexe\ewkqtu.exe
O4 - HKLM\..\Run: [oxkfnam] c:\windows\system32\xhaqhmp.exe
O4 - HKLM\..\RunOnce: [winoi.exe] C:\WINDOWS\system32\winoi.exe
O4 - HKLM\..\RunOnce: [CounterSpyCleaner] C:\Program Files\Sunbelt Software\CounterSpy Client\sunASCleaner.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
O4 - HKCU\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
O4 - HKCU\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
O4 - HKCU\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
O4 - HKCU\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
O4 - HKCU\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
O4 - HKCU\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
O4 - HKCU\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
O4 - HKCU\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
O4 - HKCU\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
O4 - HKCU\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
O4 - HKCU\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
O4 - HKCU\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
O4 - HKCU\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
O4 - HKCU\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
O4 - HKCU\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
O4 - HKCU\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
O4 - HKCU\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
O4 - HKCU\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
O4 - HKCU\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
O4 - HKCU\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
O4 - HKCU\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
O4 - HKCU\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
O4 - HKCU\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
O4 - HKCU\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
O4 - HKCU\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
O4 - HKCU\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
O4 - HKCU\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
O4 - HKCU\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
O4 - HKCU\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<Head>
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
O4 - HKCU\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKCU\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKCU\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKCU\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKCU\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
O4 - HKCU\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKCU\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKCU\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKCU\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKCU\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKCU\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKCU\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKCU\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKCU\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
O4 - HKCU\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
O4 - HKCU\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
O4 - HKCU\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
O4 - HKCU\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
O4 - HKCU\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
O4 - HKCU\..\Run: [IBwmRQHqR] gyhxprxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0029.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javacb.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: cgeapepfc - Unknown owner - C:\WINDOWS\System32\epfc\cgeap.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: euuofbmcufmyo - Unknown owner - C:\WINDOWS\System32\cufmyo\euuofbm.exe
O23 - Service: greenstdSystem32 - Unknown owner - C:\WINDOWS\System32\greenstd.exe (file missing)
O23 - Service: ihojjxcejlsiq - Unknown owner - C:\WINDOWS\System32\jlsiq\ihojjxce.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: kkyumfcxhvvmpv - Unknown owner - C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: occxuyoi - Unknown owner - C:\WINDOWS\System32\uyoi\occx.exe (file missing)
O23 - Service: oqvhucoqleuyht - Unknown owner - C:\WINDOWS\System32\oqleuyht\oqvhuc.exe
O23 - Service: ovekyvhxcffaqksm - Unknown owner - C:\WINDOWS\System32\cffaqksm\ovekyvhx.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: pisgnegrmglfb - Unknown owner - C:\WINDOWS\System32\egrmglfb\pisgn.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: qaptyhiahu - Unknown owner - C:\WINDOWS\System32\hiahu\qapty.exe
O23 - Service: qmaknddlpkf - Unknown owner - C:\WINDOWS\System32\dlpkf\qmaknd.exe
O23 - Service: rfacgyndcanmapm - Unknown owner - C:\WINDOWS\System32\dcanmapm\rfacgyn.exe
O23 - Service: scyienvwhxvora - Unknown owner - C:\WINDOWS\System32\hxvora\scyienvw.exe
O23 - Service: suvoacnssftuej - Unknown owner - C:\WINDOWS\System32\sftuej\suvoacns.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: tmsdbfckevux - Unknown owner - C:\WINDOWS\System32\ckevux\tmsdbf.exe
O23 - Service: vburfghttvrl - Unknown owner - C:\WINDOWS\System32\ghttvrl\vburf.exe
O23 - Service: vdmoinbn - Unknown owner - C:\WINDOWS\System32\inbn\vdmo.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ycwkblbrvpieg - Unknown owner - C:\WINDOWS\System32\brvpieg\ycwkbl.exe
O23 - Service: yyaxgmhfjje - Unknown owner - C:\WINDOWS\System32\fjje\yyaxgmh.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am
Advertisement
Register to Remove

Unread postby wng_z3r0 » May 7th, 2005, 7:45 pm

wow :shock:

That's some log. hehe. It looks like one of those practice logs Chris makes :P

Anyways,
I'd be glad to help you :)

Just give me some time to research that nice log of yours.


have a good day,
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby ChrisRLG » May 8th, 2005, 3:40 pm

wng_z3r0 has unfortunatly some problmes with his own computer - so you have me instead.

=======================

First of all I need you to download some programs for use later.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:
@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Download this file and unzip it to your desktop

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here, install it, check for updates but again, don't use it yet.

Then, Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a "red" X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Don't scan yet. We will do it in safe mode.

Ensure hidden files and folders are set to show;

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called <Remote Procedure Call (RPC) Helper>. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

=========================================

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Post the log from the scan here for me as a reply - after doing all of the next.

While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Bring up task manager Ctrl-Alt-Del and end these processes if they are present


  • Please set your system to show all files; please see here if you're unsure how to do this.
  • Press Control-Alt-Del to enter the Task Manager.
    Click on the Processes tab and end the following processes:

    C:\WINDOWS\System32\cufmyo\euuofbm.exe
    C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe
    C:\PROGRA~1\BLEHSIGN\sizespamseek.exe
    C:\Program Files\Qexyfkt\Erllkl.exe
    C:\WINDOWS\System32\ivpnmz.exe
    C:\WINDOWS\System32\scrsvc.exe
    C:\WINDOWS\system32\msgm32.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\System32\picsvr\picsvr.exe
    C:\WINDOWS\System32\wknky\ikrph.exe
    C:\WINDOWS\System32\jvtclcn\lxskf.exe
    C:\WINDOWS\System32\hleokaqi\bphc.exe
    C:\WINDOWS\System32\yiarby\quxi.exe
    C:\WINDOWS\System32\ufcqrlx\rrfys.exe
    C:\WINDOWS\System32\pddchqk\efsporxu.exe
    C:\WINDOWS\System32\mjena\kwrm.exe
    C:\WINDOWS\System32\eoipxho\xciqivkg.exe
    C:\WINDOWS\System32\omjolexe\ewkqtu.exe
    C:\WINDOWS\System32\icjh\hugkddi.exe
    C:\WINDOWS\System32\xvmjmogp\hbxghue.exe
    C:\WINDOWS\System32\girs\kefvmq.exe
    C:\WINDOWS\System32\xykekjhn\clxcfqil.exe
    C:\WINDOWS\System32\oxnpa\xhdbx.exe
    C:\WINDOWS\System32\hunus\swqo.exe
    C:\WINDOWS\System32\ojtmcbrq\vlhr.exe
    C:\WINDOWS\System32\ugxxu\abcyksxb.exe
    C:\WINDOWS\System32\iwutabvo\ouuuurh.exe
    C:\WINDOWS\System32\qxuhl\fhdbxlhu.exe
    C:\WINDOWS\System32\hvbm\ygpa.exe
    C:\WINDOWS\System32\nkipqae\qklukmgk.exe
    C:\WINDOWS\system\krxf.exe
    C:\WINDOWS\System32\gyhxprxy.exe
    c:\windows\system32\xhaqhmp.exe
    C:\WINDOWS\netun.exe


    Exit the Task Manager when finished.
  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gpoav.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpoav.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gpoav.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gpoav.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gpoav.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gpoav.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Class - {538EEB8F-48F3-4823-CA19-09ED9EFBD83E} - C:\WINDOWS\iebr.dll
    O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
    O4 - HKLM\..\Run: [s] C:\WINDOWS\System32\qiidre.exe
    O4 - HKLM\..\Run: [THIS SETTINGS] C:\PROGRA~1\BLEHSIGN\sizespamseek.exe
    O4 - HKLM\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
    O4 - HKLM\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
    O4 - HKLM\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
    O4 - HKLM\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
    O4 - HKLM\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
    O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
    O4 - HKLM\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
    O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
    O4 - HKLM\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
    O4 - HKLM\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
    O4 - HKLM\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
    O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
    O4 - HKLM\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
    O4 - HKLM\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
    O4 - HKLM\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
    O4 - HKLM\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
    O4 - HKLM\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
    O4 - HKLM\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
    O4 - HKLM\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
    O4 - HKLM\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
    O4 - HKLM\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
    O4 - HKLM\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
    O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
    O4 - HKLM\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
    O4 - HKLM\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
    O4 - HKLM\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
    O4 - HKLM\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
    O4 - HKLM\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
    O4 - HKLM\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
    O4 - HKLM\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
    O4 - HKLM\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
    O4 - HKLM\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
    O4 - HKLM\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
    O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
    O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<Head>
    O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
    O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
    O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
    O4 - HKLM\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
    O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
    O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
    O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
    O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
    O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
    O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
    O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
    O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
    O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
    O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
    O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
    O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
    O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
    O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
    O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
    O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
    O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
    O4 - HKLM\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
    O4 - HKLM\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
    O4 - HKLM\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
    O4 - HKLM\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
    O4 - HKLM\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
    O4 - HKLM\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
    O4 - HKLM\..\Run: [eA0HXAUx] C:\PROGRA~1\rvrtxr\uxvuwu.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [Ytfjgal] C:\Program Files\Qexyfkt\Erllkl.exe
    O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
    O4 - HKLM\..\Run: [aiat] C:\WINDOWS\System32\rmjwq\aiat.exe
    O4 - HKLM\..\Run: [cgeap] C:\WINDOWS\System32\epfc\cgeap.exe
    O4 - HKLM\..\Run: [xglshwp] C:\WINDOWS\System32\egtvms\xglshwp.exe
    O4 - HKLM\..\Run: [hshnin] C:\DOCUME~1\Owner\LOCALS~1\Temp\kdfkqs.exe
    O4 - HKLM\..\Run: [gnjap] C:\WINDOWS\System32\jnvnbgm\gnjap.exe
    O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\System32\psoft1.exe
    O4 - HKLM\..\Run: [AutoLoader3FwG1OWgKZaU] "C:\WINDOWS\System32\shlppdll.exe"
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteuzw32.exe
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ivpnmz.exe
    O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
    O4 - HKLM\..\Run: [msgm32.exe] C:\WINDOWS\system32\msgm32.exe
    O4 - HKLM\..\Run: [basuo] C:\WINDOWS\System32\pmywha\basuo.exe
    O4 - HKLM\..\Run: [fockh] C:\WINDOWS\System32\cbmet\fockh.exe
    O4 - HKLM\..\Run: [oqvhuc] C:\WINDOWS\System32\oqleuyht\oqvhuc.exe
    O4 - HKLM\..\Run: [iwdj] C:\WINDOWS\System32\vsxka\iwdj.exe
    O4 - HKLM\..\Run: [nhyxjaij] C:\WINDOWS\System32\nghxaki\nhyxjaij.exe
    O4 - HKLM\..\Run: [mhthgd] C:\WINDOWS\System32\knpp\mhthgd.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
    O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\hsjjydx.exe
    O4 - HKLM\..\Run: [ikrph] C:\WINDOWS\System32\wknky\ikrph.exe
    O4 - HKLM\..\Run: [pupe] C:\WINDOWS\System32\ryiqupvj\pupe.exe
    O4 - HKLM\..\Run: [yyaxgmh] C:\WINDOWS\System32\fjje\yyaxgmh.exe
    O4 - HKLM\..\Run: [fydee] C:\WINDOWS\System32\mokewqej\fydee.exe
    O4 - HKLM\..\Run: [lecbg] C:\WINDOWS\System32\unobi\lecbg.exe
    O4 - HKLM\..\Run: [bphc] C:\WINDOWS\System32\hleokaqi\bphc.exe
    O4 - HKLM\..\Run: [mihg] C:\WINDOWS\System32\oxvj\mihg.exe
    O4 - HKLM\..\Run: [qmaknd] C:\WINDOWS\System32\dlpkf\qmaknd.exe
    O4 - HKLM\..\Run: [sjuadsi] C:\WINDOWS\System32\littnik\sjuadsi.exe
    O4 - HKLM\..\Run: [ihojjxce] C:\WINDOWS\System32\jlsiq\ihojjxce.exe
    O4 - HKLM\..\Run: [qmmcw] C:\WINDOWS\System32\bbsgmgq\qmmcw.exe
    O4 - HKLM\..\Run: [vgltjeme] c:\windows\system32\vgltjeme.exe
    O4 - HKLM\..\Run: [suvoacns] C:\WINDOWS\System32\sftuej\suvoacns.exe
    O4 - HKLM\..\Run: [tmsdbf] C:\WINDOWS\System32\ckevux\tmsdbf.exe
    O4 - HKLM\..\Run: [updimqc] C:\WINDOWS\System32\ytjggmcp\updimqc.exe
    O4 - HKLM\..\Run: [fjbutm] C:\WINDOWS\System32\bajwlanx\fjbutm.exe
    O4 - HKLM\..\Run: [scyienvw] C:\WINDOWS\System32\hxvora\scyienvw.exe
    O4 - HKLM\..\Run: [rrfys] C:\WINDOWS\System32\ufcqrlx\rrfys.exe
    O4 - HKLM\..\Run: [efsporxu] C:\WINDOWS\System32\pddchqk\efsporxu.exe
    O4 - HKLM\..\Run: [kwrm] C:\WINDOWS\System32\mjena\kwrm.exe
    O4 - HKLM\..\Run: [xciqivkg] C:\WINDOWS\System32\eoipxho\xciqivkg.exe
    O4 - HKLM\..\Run: [ycwkbl] C:\WINDOWS\System32\brvpieg\ycwkbl.exe
    O4 - HKLM\..\Run: [vburf] C:\WINDOWS\System32\ghttvrl\vburf.exe
    O4 - HKLM\..\Run: [qapty] C:\WINDOWS\System32\hiahu\qapty.exe
    O4 - HKLM\..\Run: [vdmo] C:\WINDOWS\System32\inbn\vdmo.exe
    O4 - HKLM\..\Run: [swmc] C:\WINDOWS\System32\bqtg\swmc.exe
    O4 - HKLM\..\Run: [vemhon] C:\WINDOWS\System32\fvwnrh\vemhon.exe
    O4 - HKLM\..\Run: [hugkddi] C:\WINDOWS\System32\icjh\hugkddi.exe
    O4 - HKLM\..\Run: [hbxghue] C:\WINDOWS\System32\xvmjmogp\hbxghue.exe
    O4 - HKLM\..\Run: [kefvmq] C:\WINDOWS\System32\girs\kefvmq.exe
    O4 - HKLM\..\Run: [clxcfqil] C:\WINDOWS\System32\xykekjhn\clxcfqil.exe
    O4 - HKLM\..\Run: [xhdbx] C:\WINDOWS\System32\oxnpa\xhdbx.exe
    O4 - HKLM\..\Run: [swqo] C:\WINDOWS\System32\hunus\swqo.exe
    O4 - HKLM\..\Run: [G3] C:\WINDOWS\System32\GSMedia3.exe
    O4 - HKLM\..\Run: [rfacgyn] C:\WINDOWS\System32\dcanmapm\rfacgyn.exe
    O4 - HKLM\..\Run: [pisgn] C:\WINDOWS\System32\egrmglfb\pisgn.exe
    O4 - HKLM\..\Run: [abcyksxb] C:\WINDOWS\System32\ugxxu\abcyksxb.exe
    O4 - HKLM\..\Run: [ouuuurh] C:\WINDOWS\System32\iwutabvo\ouuuurh.exe
    O4 - HKLM\..\Run: [fhdbxlhu] C:\WINDOWS\System32\qxuhl\fhdbxlhu.exe
    O4 - HKLM\..\Run: [ygpa] C:\WINDOWS\System32\hvbm\ygpa.exe
    O4 - HKLM\..\Run: [sxvwkt] C:\WINDOWS\System32\rgcmlusq\sxvwkt.exe
    O4 - HKLM\..\Run: [qklukmgk] C:\WINDOWS\System32\nkipqae\qklukmgk.exe
    O4 - HKLM\..\Run: [kkyumfc] C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe
    O4 - HKLM\..\Run: [euuofbm] C:\WINDOWS\System32\cufmyo\euuofbm.exe
    O4 - HKLM\..\Run: [quxi] C:\WINDOWS\System32\yiarby\quxi.exe
    O4 - HKLM\..\Run: [lxskf] C:\WINDOWS\System32\jvtclcn\lxskf.exe
    O4 - HKLM\..\Run: [vlhr] C:\WINDOWS\System32\ojtmcbrq\vlhr.exe
    O4 - HKLM\..\Run: [eyjct] C:\WINDOWS\System32\jqatps\eyjct.exe
    O4 - HKLM\..\Run: [ewkqtu] C:\WINDOWS\System32\omjolexe\ewkqtu.exe
    O4 - HKLM\..\Run: [oxkfnam] c:\windows\system32\xhaqhmp.exe
    O4 - HKLM\..\RunOnce: [winoi.exe] C:\WINDOWS\system32\winoi.exe
    O4 - HKCU\..\Run: [NS4 = (document.layers) ? true : fa] c:\WINDOWS\System32\NS4 = (document.layers) ? true : false;
    O4 - HKCU\..\Run: [IE4plus = (document.all) ? true : fa] c:\WINDOWS\System32\IE4plus = (document.all) ? true : false;
    O4 - HKCU\..\Run: [NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:fa] c:\WINDOWS\System32\NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;
    O4 - HKCU\..\Run: [IEMajor ] c:\WINDOWS\System32\IEMajor = 0;
    O4 - HKCU\..\Run: [ IEMajor = parseInt(navigator.appVersion.substring(start+5,en] c:\WINDOWS\System32\ IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
    O4 - HKCU\..\Run: [var gSafeOnload = new Arra] c:\WINDOWS\System32\var gSafeOnload = new Array();
    O4 - HKCU\..\Run: [ if (IEmac && IE4) // IE 4.5 blows out on testing window.on] c:\WINDOWS\System32\ if (IEmac && IE4) // IE 4.5 blows out on testing window.onload
    O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
    O4 - HKCU\..\Run: [ if (window.onload != SafeOnl] c:\WINDOWS\System32\ if (window.onload != SafeOnload)
    O4 - HKCU\..\Run: [ window.onload = SafeOnl] c:\WINDOWS\System32\ window.onload = SafeOnload;
    O4 - HKCU\..\Run: [ window.onload ] c:\WINDOWS\System32\ window.onload = f;
    O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
    O4 - HKCU\..\Run: [ var checknum = parseInt(num] c:\WINDOWS\System32\ var checknum = parseInt(numIn);
    O4 - HKCU\..\Run: [function PUW_In] c:\WINDOWS\System32\function PUW_Init()
    O4 - HKCU\..\Run: [ var newWin = window.open(this.url,this.name,settin] c:\WINDOWS\System32\ var newWin = window.open(this.url,this.name,settings);
    O4 - HKCU\..\Run: [ window.focu] c:\WINDOWS\System32\ window.focus();
    O4 - HKCU\..\Run: [ var shouldShow = this.frequency !] c:\WINDOWS\System32\ var shouldShow = this.frequency != 0;
    O4 - HKCU\..\Run: [ end = allCookies.len] c:\WINDOWS\System32\ end = allCookies.length;
    O4 - HKCU\..\Run: [ if (isInt(freqS] c:\WINDOWS\System32\ if (isInt(freqStr))
    O4 - HKCU\..\Run: [ this.frequenc] c:\WINDOWS\System32\ this.frequency--;
    O4 - HKCU\..\Run: [ shouldShow = fa] c:\WINDOWS\System32\ shouldShow = false;
    O4 - HKCU\..\Run: [ exp.setTime(exp.getTime()+this.renew*60*60] c:\WINDOWS\System32\ exp.setTime(exp.getTime()+this.renew*60*6000);
    O4 - HKCU\..\Run: [function PopupWindow(url,width,hei] c:\WINDOWS\System32\function PopupWindow(url,width,height)
    O4 - HKCU\..\Run: [ this.height = hei] c:\WINDOWS\System32\ this.height = height;
    O4 - HKCU\..\Run: [ this.left = screen.availWidth/2 - width/2; // ce] c:\WINDOWS\System32\ this.left = screen.availWidth/2 - width/2; // center
    O4 - HKCU\..\Run: [ this.showDelay = 2] c:\WINDOWS\System32\ this.showDelay = 2000;
    O4 - HKCU\..\Run: [ this.renew = 1; // renew showing every x h] c:\WINDOWS\System32\ this.renew = 1; // renew showing every x hours
    O4 - HKCU\..\Run: [ this.toolbar= fa] c:\WINDOWS\System32\ this.toolbar= false;
    O4 - HKCU\..\Run: [ this.resizable = fa] c:\WINDOWS\System32\ this.resizable = false;
    O4 - HKCU\..\Run: [ this.menubar = fa] c:\WINDOWS\System32\ this.menubar = false;
    O4 - HKCU\..\Run: [ this.Init = PUW_I] c:\WINDOWS\System32\ this.Init = PUW_Init;
    O4 - HKCU\..\Run: [ this.CheckFrequency = PUW_CheckFreque] c:\WINDOWS\System32\ this.CheckFrequency = PUW_CheckFrequency;
    O4 - HKCU\..\Run: [ gPopupWindow.Ini] c:\WINDOWS\System32\ gPopupWindow.Init();
    O4 - HKCU\..\Run: [gPopupWindow.toolbar = fa] c:\WINDOWS\System32\gPopupWindow.toolbar = false;
    O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<Head>
    O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
    O4 - HKCU\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
    O4 - HKCU\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
    O4 - HKCU\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
    O4 - HKCU\..\Run: [} el] c:\WINDOWS\System32\} else {
    O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
    O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
    O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
    O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
    O4 - HKCU\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
    O4 - HKCU\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 365);
    O4 - HKCU\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
    O4 - HKCU\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
    O4 - HKCU\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
    O4 - HKCU\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
    O4 - HKCU\..\Run: [}] c:\WINDOWS\System32\}
    O4 - HKCU\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
    O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
    O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
    O4 - HKCU\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
    O4 - HKCU\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
    O4 - HKCU\..\Run: [ Sea] c:\WINDOWS\System32\ Search:
    O4 - HKCU\..\Run: [ else {c=screen.pixelDe] c:\WINDOWS\System32\ else {c=screen.pixelDepth}
    O4 - HKCU\..\Run: [ NS2] c:\WINDOWS\System32\ NS2Ch=0
    O4 - HKCU\..\Run: [s=screen.width;v=navigator.app] c:\WINDOWS\System32\s=screen.width;v=navigator.appName
    O4 - HKCU\..\Run: [j=navigator.javaEnabl] c:\WINDOWS\System32\j=navigator.javaEnabled()
    O4 - HKCU\..\Run: [if (NS2Ch == ] c:\WINDOWS\System32\if (NS2Ch == 0) {
    O4 - HKCU\..\Run: [IBwmRQHqR] gyhxprxy.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0029.exe
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javacb.exe" /s (file missing)
    O23 - Service: cgeapepfc - Unknown owner - C:\WINDOWS\System32\epfc\cgeap.exe
    O23 - Service: euuofbmcufmyo - Unknown owner - C:\WINDOWS\System32\cufmyo\euuofbm.exe
    O23 - Service: greenstdSystem32 - Unknown owner - C:\WINDOWS\System32\greenstd.exe (file missing)
    O23 - Service: ihojjxcejlsiq - Unknown owner - C:\WINDOWS\System32\jlsiq\ihojjxce.exe
    O23 - Service: kkyumfcxhvvmpv - Unknown owner - C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe
    O23 - Service: occxuyoi - Unknown owner - C:\WINDOWS\System32\uyoi\occx.exe (file missing)
    O23 - Service: oqvhucoqleuyht - Unknown owner - C:\WINDOWS\System32\oqleuyht\oqvhuc.exe
    O23 - Service: ovekyvhxcffaqksm - Unknown owner - C:\WINDOWS\System32\cffaqksm\ovekyvhx.exe (file missing)
    O23 - Service: pisgnegrmglfb - Unknown owner - C:\WINDOWS\System32\egrmglfb\pisgn.exe
    O23 - Service: qaptyhiahu - Unknown owner - C:\WINDOWS\System32\hiahu\qapty.exe
    O23 - Service: qmaknddlpkf - Unknown owner - C:\WINDOWS\System32\dlpkf\qmaknd.exe
    O23 - Service: rfacgyndcanmapm - Unknown owner - C:\WINDOWS\System32\dcanmapm\rfacgyn.exe
    O23 - Service: scyienvwhxvora - Unknown owner - C:\WINDOWS\System32\hxvora\scyienvw.exe
    O23 - Service: suvoacnssftuej - Unknown owner - C:\WINDOWS\System32\sftuej\suvoacns.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
    O23 - Service: tmsdbfckevux - Unknown owner - C:\WINDOWS\System32\ckevux\tmsdbf.exe
    O23 - Service: vburfghttvrl - Unknown owner - C:\WINDOWS\System32\ghttvrl\vburf.exe
    O23 - Service: vdmoinbn - Unknown owner - C:\WINDOWS\System32\inbn\vdmo.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: ycwkblbrvpieg - Unknown owner - C:\WINDOWS\System32\brvpieg\ycwkbl.exe
    O23 - Service: yyaxgmhfjje - Unknown owner - C:\WINDOWS\System32\fjje\yyaxgmh.exe
    O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


    Click on Fix Checked when finished and exit HijackThis.
  • Stay in Safe Mode: please

    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\WINDOWS\System32\cufmyo\euuofbm.exe
    C:\WINDOWS\System32\xhvvmpv\kkyumfc.exe
    C:\PROGRA~1\BLEHSIGN\sizespamseek.exe
    C:\Program Files\Qexyfkt\Erllkl.exe
    C:\WINDOWS\System32\ivpnmz.exe
    C:\WINDOWS\System32\scrsvc.exe
    C:\WINDOWS\system32\msgm32.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\System32\picsvr\picsvr.exe
    C:\WINDOWS\System32\wknky\ikrph.exe
    C:\WINDOWS\System32\jvtclcn\lxskf.exe
    C:\WINDOWS\System32\hleokaqi\bphc.exe
    C:\WINDOWS\System32\yiarby\quxi.exe
    C:\WINDOWS\System32\ufcqrlx\rrfys.exe
    C:\WINDOWS\System32\pddchqk\efsporxu.exe
    C:\WINDOWS\System32\mjena\kwrm.exe
    C:\WINDOWS\System32\eoipxho\xciqivkg.exe
    C:\WINDOWS\System32\omjolexe\ewkqtu.exe
    C:\WINDOWS\System32\icjh\hugkddi.exe
    C:\WINDOWS\System32\xvmjmogp\hbxghue.exe
    C:\WINDOWS\System32\girs\kefvmq.exe
    C:\WINDOWS\System32\xykekjhn\clxcfqil.exe
    C:\WINDOWS\System32\oxnpa\xhdbx.exe
    C:\WINDOWS\System32\hunus\swqo.exe
    C:\WINDOWS\System32\ojtmcbrq\vlhr.exe
    C:\WINDOWS\System32\ugxxu\abcyksxb.exe
    C:\WINDOWS\System32\iwutabvo\ouuuurh.exe
    C:\WINDOWS\System32\qxuhl\fhdbxlhu.exe
    C:\WINDOWS\System32\hvbm\ygpa.exe
    C:\WINDOWS\System32\nkipqae\qklukmgk.exe
    C:\WINDOWS\system\krxf.exe
    C:\WINDOWS\System32\gyhxprxy.exe
    c:\windows\system32\xhaqhmp.exe
    C:\WINDOWS\netun.exe
    C:\WINDOWS\gpoav.dll
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\iebr.dll
    c:\program files\winfavorites\WinFavorites.exe1
    C:\WINDOWS\System32\qiidre.exe
    C:\PROGRA~1\rvrtxr\uxvuwu.exe
    C:\Program Files\webHancer\Programs\whSurvey.exe
    C:\WINDOWS\System32\pacis.exe
    C:\WINDOWS\System32\rmjwq\aiat.exe
    C:\WINDOWS\System32\epfc\cgeap.exe
    C:\WINDOWS\System32\egtvms\xglshwp.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\kdfkqs.exe
    C:\WINDOWS\System32\jnvnbgm\gnjap.exe
    C:\WINDOWS\System32\psoft1.exe
    C:\WINDOWS\System32\shlppdll.exe
    C:\windows\system32\eliteuzw32.exe
    C:\WINDOWS\System32\pmywha\basuo.exe
    C:\WINDOWS\System32\cbmet\fockh.exe
    C:\WINDOWS\System32\oqleuyht\oqvhuc.exe
    C:\WINDOWS\System32\vsxka\iwdj.exe
    C:\WINDOWS\System32\nghxaki\nhyxjaij.exe
    C:\WINDOWS\System32\knpp\mhthgd.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\hsjjydx.exe
    C:\WINDOWS\System32\ryiqupvj\pupe.exe
    C:\WINDOWS\System32\fjje\yyaxgmh.exe
    C:\WINDOWS\System32\mokewqej\fydee.exe
    C:\WINDOWS\System32\unobi\lecbg.exe
    C:\WINDOWS\System32\oxvj\mihg.exe
    C:\WINDOWS\System32\dlpkf\qmaknd.exe
    C:\WINDOWS\System32\littnik\sjuadsi.exe
    C:\WINDOWS\System32\jlsiq\ihojjxce.exe
    C:\WINDOWS\System32\bbsgmgq\qmmcw.exe
    c:\windows\system32\vgltjeme.exe
    C:\WINDOWS\System32\sftuej\suvoacns.exe
    C:\WINDOWS\System32\ckevux\tmsdbf.exe
    C:\WINDOWS\System32\ytjggmcp\updimqc.exe
    C:\WINDOWS\System32\bajwlanx\fjbutm.exe
    C:\WINDOWS\System32\hxvora\scyienvw.exe
    C:\WINDOWS\System32\brvpieg\ycwkbl.exe
    C:\WINDOWS\System32\ghttvrl\vburf.exe
    C:\WINDOWS\System32\hiahu\qapty.exe
    C:\WINDOWS\System32\inbn\vdmo.exe
    C:\WINDOWS\System32\bqtg\swmc.exe
    C:\WINDOWS\System32\fvwnrh\vemhon.exe
    C:\WINDOWS\System32\GSMedia3.exe
    C:\WINDOWS\System32\dcanmapm\rfacgyn.exe
    C:\WINDOWS\System32\egrmglfb\pisgn.exe
    C:\WINDOWS\System32\rgcmlusq\sxvwkt.exe
    C:\WINDOWS\System32\jqatps\eyjct.exe
    C:\WINDOWS\system32\winoi.exe
    C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    C:\WINDOWS\System32\uyoi\occx.exe
    C:\WINDOWS\System32\cffaqksm\ovekyvhx.exe
    C:\WINDOWS\svcproc.exe
    C:\WINDOWS\System32\ckevux\tmsdbf.exe
    C:\WINDOWS\System32\ghttvrl\vburf.exe
    C:\WINDOWS\System32\inbn\vdmo.exe
    C:\WINDOWS\System32\brvpieg\ycwkbl.exe
    C:\WINDOWS\System32\fjje\yyaxgmh.exe


    Exit Explorer, and reboot as normal afterwards.


The following step is important as you may have several malware files in your temp directories.

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Window\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply.

Scan with Adaware by opening it and clicking the "Next" button to start the scan.

When the scan is completed the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

To fix all the bad critical objects do the following:

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Now reboot, and run hijackthis again and post a fresh log along with the about buster and Ewido logs. :)
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby theglobal » May 9th, 2005, 1:37 am

I have access to an updated Ad-Aware SE Personal. I could not locate Ad-Aware Second Edition. Do you think the Ad-Aware SE Personal will do?
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby ChrisRLG » May 9th, 2005, 3:56 am

They are one and the same Second Edition.

One is the short name for the other.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » May 20th, 2005, 3:18 pm

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware