Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack This Log

Unread postby theglobal » May 22nd, 2005, 9:20 pm

Chris,

I started a topic, but was away for several days, and it expired. This is a post of the most recent Hijack This file.. One thought with respect to the previous post... i ranremove.bat, CWWERVICEREMOVE, About Buster, Ad-Aware SE, CWShredder and Ewido... Ewido crashed twice after running an hour or so. So, I guess we can start fresh.

Thanks!
Mike


Logfile of HijackThis v1.99.1
Scan saved at 6:52:40 PM, on 5/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\qjdt\xcrkvu.exe
C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
C:\WINDOWS\System32\bhohktor\odihfl.exe
C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\System32\jcplxih\mwtugl.exe
C:\WINDOWS\System32\mgft\pjubdprf.exe
C:\WINDOWS\System32\onwvixlj\rlqka.exe
C:\WINDOWS\System32\kpphqn\fdqy.exe
C:\WINDOWS\System32\pwxkysx\qalkc.exe
C:\WINDOWS\System32\kevxy\vpnogrfg.exe
C:\WINDOWS\System32\hctycvyj\ovyft.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\nwxdmhx\rxlg.exe
C:\WINDOWS\System32\iduvfc\ldkgco.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
C:\WINDOWS\System32\kgxpv\xqpyix.exe
C:\WINDOWS\System32\jffrknf\twehfrag.exe
C:\WINDOWS\System32\dbdexge\vropfh.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\ywrfy\demvb.exe
C:\WINDOWS\System32\haxjkjf\lpxjns.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\System32\fejlai\fcykrqae.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\otqyprha\aiyygr.exe
C:\WINDOWS\System32\aqwf\keqfe.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\System32\bqclh\vysma.exe
C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
C:\WINDOWS\System32\uvknmz.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\fbaceoar\qqeqw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {58359010-BF36-11D3-99A2-0050DA2EE1BE} - (no file)
O2 - BHO: (no name) - {83387907-50A3-C7D5-A44C-1FF0C613BD91} - C:\WINDOWS\System32\kfciynaf\hopwoisr.dll
O2 - BHO: Class - {FF3BB3EB-9FF6-0CC2-8A43-6DD043FE9317} - C:\WINDOWS\mslo32.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\pbsuthd.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [sjkp] C:\WINDOWS\System32\oxsaynow\sjkp.exe
O4 - HKLM\..\Run: [ntmcq] C:\WINDOWS\System32\moqsgf\ntmcq.exe
O4 - HKLM\..\Run: [jtutu] C:\WINDOWS\System32\ybuxb\jtutu.exe
O4 - HKLM\..\Run: [hshatpb] C:\WINDOWS\System32\qboa\hshatpb.exe
O4 - HKLM\..\Run: [evrad] C:\WINDOWS\System32\ynuul\evrad.exe
O4 - HKLM\..\Run: [wsagu] C:\WINDOWS\System32\hahm\wsagu.exe
O4 - HKLM\..\Run: [mhxo] C:\WINDOWS\System32\tlmtptg\mhxo.exe
O4 - HKLM\..\Run: [mefc] C:\WINDOWS\System32\yojsco\mefc.exe
O4 - HKLM\..\Run: [rgif] C:\WINDOWS\System32\hxrkgr\rgif.exe
O4 - HKLM\..\Run: [xcrkvu] C:\WINDOWS\System32\qjdt\xcrkvu.exe
O4 - HKLM\..\Run: [odihfl] C:\WINDOWS\System32\bhohktor\odihfl.exe
O4 - HKLM\..\Run: [oocdnjj] C:\WINDOWS\System32\bpapj\oocdnjj.exe
O4 - HKLM\..\Run: [doupdxwv] C:\WINDOWS\System32\chvuxco\doupdxwv.exe
O4 - HKLM\..\Run: [eimn] C:\WINDOWS\System32\iocotj\eimn.exe
O4 - HKLM\..\Run: [phvxbd] C:\WINDOWS\System32\pxdx\phvxbd.exe
O4 - HKLM\..\Run: [yqxjee] C:\WINDOWS\System32\xjwsh\yqxjee.exe
O4 - HKLM\..\Run: [ZMFGXAox] C:\PROGRA~1\wutorsr\pvptqr.exe
O4 - HKLM\..\Run: [vhodigq] C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
O4 - HKLM\..\Run: [qivgboox] C:\WINDOWS\System32\fnxfp\qivgboox.exe
O4 - HKLM\..\Run: [mwtugl] C:\WINDOWS\System32\jcplxih\mwtugl.exe
O4 - HKLM\..\Run: [pjubdprf] C:\WINDOWS\System32\mgft\pjubdprf.exe
O4 - HKLM\..\Run: [rlqka] C:\WINDOWS\System32\onwvixlj\rlqka.exe
O4 - HKLM\..\Run: [cexawejh] C:\WINDOWS\System32\amdhfp\cexawejh.exe
O4 - HKLM\..\Run: [reiu] C:\WINDOWS\System32\yslecioe\reiu.exe
O4 - HKLM\..\Run: [klqf] C:\WINDOWS\System32\kaxkgh\klqf.exe
O4 - HKLM\..\Run: [fdqy] C:\WINDOWS\System32\kpphqn\fdqy.exe
O4 - HKLM\..\Run: [ckbu] C:\WINDOWS\System32\ankjifjj\ckbu.exe
O4 - HKLM\..\Run: [qalkc] C:\WINDOWS\System32\pwxkysx\qalkc.exe
O4 - HKLM\..\Run: [vpnogrfg] C:\WINDOWS\System32\kevxy\vpnogrfg.exe
O4 - HKLM\..\Run: [dcejfgtk] C:\WINDOWS\System32\epvnb\dcejfgtk.exe
O4 - HKLM\..\Run: [ntqjhb] C:\WINDOWS\System32\wvaqvd\ntqjhb.exe
O4 - HKLM\..\Run: [rjctdjfj] C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
O4 - HKLM\..\Run: [nruewxrl] C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O4 - HKLM\..\Run: [ovyft] C:\WINDOWS\System32\hctycvyj\ovyft.exe
O4 - HKLM\..\Run: [rxlg] C:\WINDOWS\System32\nwxdmhx\rxlg.exe
O4 - HKLM\..\Run: [ldkgco] C:\WINDOWS\System32\iduvfc\ldkgco.exe
O4 - HKLM\..\Run: [xbhgbw] C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
O4 - HKLM\..\Run: [xqpyix] C:\WINDOWS\System32\kgxpv\xqpyix.exe
O4 - HKLM\..\Run: [cdpbfu] C:\WINDOWS\System32\eypo\cdpbfu.exe
O4 - HKLM\..\Run: [twehfrag] C:\WINDOWS\System32\jffrknf\twehfrag.exe
O4 - HKLM\..\Run: [vropfh] C:\WINDOWS\System32\dbdexge\vropfh.exe
O4 - HKLM\..\Run: [eyytvw] C:\WINDOWS\System32\jelmu\eyytvw.exe
O4 - HKLM\..\Run: [smrr] C:\WINDOWS\System32\vwwskbjg\smrr.exe
O4 - HKLM\..\Run: [yvay] C:\WINDOWS\System32\anfpsx\yvay.exe
O4 - HKLM\..\Run: [lpxjns] C:\WINDOWS\System32\haxjkjf\lpxjns.exe
O4 - HKLM\..\Run: [fcykrqae] C:\WINDOWS\System32\fejlai\fcykrqae.exe
O4 - HKLM\..\Run: [hiujt] C:\WINDOWS\System32\nucy\hiujt.exe
O4 - HKLM\..\Run: [jyumtrt] C:\WINDOWS\System32\tsjbins\jyumtrt.exe
O4 - HKLM\..\Run: [aiyygr] C:\WINDOWS\System32\otqyprha\aiyygr.exe
O4 - HKLM\..\Run: [keqfe] C:\WINDOWS\System32\aqwf\keqfe.exe
O4 - HKLM\..\Run: [quknrc] C:\WINDOWS\System32\mdcsar\quknrc.exe
O4 - HKLM\..\Run: [jehddo] C:\WINDOWS\System32\cdocmugl\jehddo.exe
O4 - HKLM\..\Run: [xnllgwgh] C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
O4 - HKLM\..\Run: [sqtnm] C:\WINDOWS\System32\dsso\sqtnm.exe
O4 - HKLM\..\Run: [rcyjii] C:\WINDOWS\System32\jimi\rcyjii.exe
O4 - HKLM\..\Run: [qqeqw] C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O4 - HKLM\..\Run: [oqpkn] C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
O4 - HKLM\..\Run: [ihdqj] C:\WINDOWS\System32\pafpk\ihdqj.exe
O4 - HKLM\..\Run: [rnlt] C:\WINDOWS\System32\pirs\rnlt.exe
O4 - HKLM\..\Run: [vysma] C:\WINDOWS\System32\bqclh\vysma.exe
O4 - HKLM\..\Run: [gvoktn] C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
O4 - HKLM\..\Run: [demvb] C:\WINDOWS\System32\ywrfy\demvb.exe
O4 - HKLM\..\Run: [rtdbk] C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uvknmz.exe reg_run
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: cexawejhamdhfp - Unknown owner - C:\WINDOWS\System32\amdhfp\cexawejh.exe
O23 - Service: dcejfgtkepvnb - Unknown owner - C:\WINDOWS\System32\epvnb\dcejfgtk.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: demvbywrfy - Unknown owner - C:\WINDOWS\System32\ywrfy\demvb.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: eimniocotj - Unknown owner - C:\WINDOWS\System32\iocotj\eimn.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: eyytvwjelmu - Unknown owner - C:\WINDOWS\System32\jelmu\eyytvw.exe
O23 - Service: gsmnyflklrhrlo - Unknown owner - C:\WINDOWS\System32\lrhrlo\gsmnyflk.exe
O23 - Service: hiujtnucy - Unknown owner - C:\WINDOWS\System32\nucy\hiujt.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: klqfkaxkgh - Unknown owner - C:\WINDOWS\System32\kaxkgh\klqf.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: nruewxrlbqwhyme - Unknown owner - C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O23 - Service: ntmcqmoqsgf - Unknown owner - C:\WINDOWS\System32\moqsgf\ntmcq.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: oocdnjjbpapj - Unknown owner - C:\WINDOWS\System32\bpapj\oocdnjj.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: qqeqwfbaceoar - Unknown owner - C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O23 - Service: smrrvwwskbjg - Unknown owner - C:\WINDOWS\System32\vwwskbjg\smrr.exe
O23 - Service: vhodigqpwjrjuqe - Unknown owner - C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
O23 - Service: vnymjxlqxqbfxv - Unknown owner - C:\WINDOWS\System32\qxqbfxv\vnymjxl.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am
Advertisement
Register to Remove

Re: Hijack This Log

Unread postby Perculator » May 23rd, 2005, 11:57 am

I will take a look at your log and reply as soon as possible
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Re: Hijack This Log

Unread postby Perculator » May 23rd, 2005, 7:14 pm

Ok, I got some good news and some bad news.

The bad news is you got the narrator infection the good news is….we will work it out….
This infection will need to be done in a few steps and this is the first one.


Please download FindQoologic from here:
http://forums.net-integration.net/index ... &id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

FindQoologic Log

Unread postby theglobal » May 23rd, 2005, 10:59 pm

Perculator - Here's the FindQoologic log. I appreciate your help!

-----------------------------------------------------------------------------------


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mfnqtymg
<NO NAME> REG_SZ {dfa6727e-625b-4b67-a9e9-10f185c2627f}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Re: FindQoologic Log

Unread postby Perculator » May 24th, 2005, 6:09 am

I recommend you print this advice. In safe mode you will not have this page available.



***
I saw Ewido scan is still on your computer we’re using that later, very important is to update the ewido scan.
Update it now!!!
If you don’t have it anymore

Download Ewido scanand update it.


***
Hi, first we’re going to do the most important thing of this, and that’s stopping some services, without this part, the fix won’t work at all.


***
Please do exactly as told in the given order.

Go to start > run and typ : services.msc en click OK

-Click Start>Run and type in: services.msc
-Click OK
-In the Services window find: vnymjxlqxqbfxv
-Select/highlight and right click the entry, and choose: Properties
-On the General tab, under Service Status click the Stop button
-Beside: Startup Type, in the drop menu, select: Disabled
-Click Apply, then OK

Repaet this for the following processes, don’t forget one

vhodigqpwjrjuqe
smrrvwwskbjg
qqeqwfbaceoar
oocdnjjbpapj
ntmcqmoqsgf
nruewxrlbqwhyme
klqfkaxkgh
hiujtnucy
gsmnyflklrhrlo
eyytvwjelmu
eimniocotj
demvbywrfy
dcejfgtkepvnb
cexawejhamdhfp

Close this window now.

Open HijackThis to the misc tools section and click the Delete an NT Sevice button. Paste in vhodigqpwjrjuqe and click OK
Repeat that for the following and again, don’t miss one!!!
smrrvwwskbjg
qqeqwfbaceoar
oocdnjjbpapj
ntmcqmoqsgf
nruewxrlbqwhyme
klqfkaxkgh
hiujtnucy
gsmnyflklrhrlo
eyytvwjelmu
eimniocotj
demvbywrfy
dcejfgtkepvnb
cexawejhamdhfp


Restart your computer in safe mode!!!
    *Restart the computer.
    *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.(a black and white screen)
    *Use the arrow keys to select the Safe mode menu item
    *press Enter.




***

Now run the ewido scan and save the log it created because you will need it in your answer



***
Now restart the computer in normal mode



***
Run hijack this and place a fresh log on this board together with the ewidoscan log.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Reply

Unread postby theglobal » May 24th, 2005, 9:53 am

In two previous ewido scans (pursuant to Chris' instructions) the program has crashed after getting to a 100% scan.... it seems odd, once it's at 100%, it still scans. So, I don't know if it was at 100% or not. In any event, I crashed before it was finished.

I will run the ewido scan again in the order you instructed. Let me know if I need to do anything different. I will let you know how the scan goes. :lol:
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Re: Reply

Unread postby Perculator » May 24th, 2005, 10:12 am

I want you to know Ewido scan can play an major role in this play...so please be patient with it :-) just let it run even if it's 100% just give it some time.
because of the actions you need to do first in the fix, i am faithfull about your next effort.
But do the fix in give order :)
Just want to ad that if ewido won't succeed you have a lot of manual removal to do, so i pray for you :lol:
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Microsoft Management Console Issue

Unread postby theglobal » May 24th, 2005, 12:19 pm

I started the process with running services.msc. However, I received the following message:
---------------------------------
MMC cannot open the file C:\WINDOWS\System32\services.msc

This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.
-----------------------------------
I was logged in as Administrator. I previously ran services.msc pursuant to instructions from Chris without any problems before this current work with you. That was a few days ago, before I posted a new Hijack This log (the one we are working on now). Something has changed since then. Please advise next step.
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Re: Microsoft Management Console Issue

Unread postby Perculator » May 24th, 2005, 2:15 pm

Well the same fix, only an other way to get there


I recommend you print this advice. In safe mode you will not have this page available.



***
I saw Ewido scan is still on your computer we’re using that later, very important is to update the ewido scan.
Update it now!!!
If you don’t have it anymore

Download Ewido scan.


***
Hi, first we’re going to do the most important thing of this, and that’s stopping some services, without this part, the fix won’t work at all.


***
Please do exactly as told in the given order.

Go to Start >Control Panel>Performance and maintenance >administrative tools >doubleclick services icon

-In the Services window find: vnymjxlqxqbfxv
-Select/highlight and right click the entry, and choose: Properties
-On the General tab, under Service Status click the Stop button
-Beside: Startup Type, in the drop menu, select: Disabled
-Click Apply, then OK

Repaet this for the following processes, don’t forget one

vhodigqpwjrjuqe
smrrvwwskbjg
qqeqwfbaceoar
oocdnjjbpapj
ntmcqmoqsgf
nruewxrlbqwhyme
klqfkaxkgh
hiujtnucy
gsmnyflklrhrlo
eyytvwjelmu
eimniocotj
demvbywrfy
dcejfgtkepvnb
cexawejhamdhfp

Close this window now.

Open HijackThis to the misc tools section and click the Delete an NT Sevice button. Paste in vhodigqpwjrjuqe and click OK
Repeat that for the following and again, don’t miss one!!!
smrrvwwskbjg
qqeqwfbaceoar
oocdnjjbpapj
ntmcqmoqsgf
nruewxrlbqwhyme
klqfkaxkgh
hiujtnucy
gsmnyflklrhrlo
eyytvwjelmu
eimniocotj
demvbywrfy
dcejfgtkepvnb
cexawejhamdhfp


Restart your computer in safe mode!!!
    *Restart the computer.
    *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.(a black and white screen)
    *Use the arrow keys to select the Safe mode menu item
    *press Enter.




***

Now run the ewido scan and save the log it created because you will need it in your answer



***
Now restart the computer in normal mode



***
Run hijack this and place a fresh log on this board together with the ewidoscan log.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Re: Microsoft Management Console Issue

Unread postby Perculator » May 25th, 2005, 1:42 am

Did you get there?
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Working On it

Unread postby theglobal » May 25th, 2005, 10:10 am

I was delayed when I received an error message when trying to run services.msc. The message said MMC could not open services.msc. There was also startup problems with other programs. I suspected some of the os files were corrupted.

The computer belongs to my brother-in-law. He had to locate his copy of the operating system, which took some time. After reloading the operating system, all is well now. I will now be able to move forward with your repair instructions. I will post when complete.
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Re: Working On it

Unread postby Perculator » May 25th, 2005, 10:21 am

I'm not sure, waht you mean with reloading the system...you mean repaired or installed a new copy of your operating system....if you installed a new (fresh installation), then i like to see a new log.
when you only repaired some bad files you will be able to continue with the fix, but if you're not sure what you changed please post a fresh log, it is no problem when you post an extra log,....it is a problem, when you trying to fix things that are not there.

good luck
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

New Log

Unread postby theglobal » May 25th, 2005, 9:14 pm

Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 7:12:00 PM, on 5/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\smjvktve\pfoug.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\qjdt\xcrkvu.exe
C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
C:\WINDOWS\System32\bhohktor\odihfl.exe
C:\WINDOWS\System32\chvuxco\doupdxwv.exe
C:\WINDOWS\System32\ywrfy\demvb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\System32\mgft\pjubdprf.exe
C:\WINDOWS\System32\onwvixlj\rlqka.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\kpphqn\fdqy.exe
C:\WINDOWS\System32\pwxkysx\qalkc.exe
C:\WINDOWS\System32\kevxy\vpnogrfg.exe
C:\WINDOWS\System32\hctycvyj\ovyft.exe
C:\WINDOWS\System32\nwxdmhx\rxlg.exe
C:\WINDOWS\System32\iduvfc\ldkgco.exe
C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
C:\WINDOWS\System32\kgxpv\xqpyix.exe
C:\WINDOWS\System32\jffrknf\twehfrag.exe
C:\WINDOWS\System32\dbdexge\vropfh.exe
C:\WINDOWS\System32\haxjkjf\lpxjns.exe
C:\WINDOWS\System32\fejlai\fcykrqae.exe
C:\WINDOWS\System32\otqyprha\aiyygr.exe
C:\WINDOWS\System32\aqwf\keqfe.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\System32\bqclh\vysma.exe
C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
C:\WINDOWS\System32\uvknmz.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\System32\ywrfy\demvb.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\ywrfy\demvb.exe
C:\WINDOWS\System32\fbaceoar\qqeqw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
c:\windows\system32\jdcuvt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\DUC\aurareco.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\vnxxow.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\hoextc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\vnxxow.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\hoextc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\hoextc.exe
C:\Program Files\Microsoft Works\wkswp.exe
c:\Program Files\Microsoft Works\MSWorks.exe
c:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {58359010-BF36-11D3-99A2-0050DA2EE1BE} - (no file)
O2 - BHO: (no name) - {83387907-50A3-C7D5-A44C-1FF0C613BD91} - C:\WINDOWS\System32\kfciynaf\hopwoisr.dll
O2 - BHO: Class - {FF3BB3EB-9FF6-0CC2-8A43-6DD043FE9317} - C:\WINDOWS\mslo32.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\pbsuthd.exe
O4 - HKLM\..\Run: [sjkp] C:\WINDOWS\System32\oxsaynow\sjkp.exe
O4 - HKLM\..\Run: [ntmcq] C:\WINDOWS\System32\moqsgf\ntmcq.exe
O4 - HKLM\..\Run: [jtutu] C:\WINDOWS\System32\ybuxb\jtutu.exe
O4 - HKLM\..\Run: [hshatpb] C:\WINDOWS\System32\qboa\hshatpb.exe
O4 - HKLM\..\Run: [evrad] C:\WINDOWS\System32\ynuul\evrad.exe
O4 - HKLM\..\Run: [wsagu] C:\WINDOWS\System32\hahm\wsagu.exe
O4 - HKLM\..\Run: [mhxo] C:\WINDOWS\System32\tlmtptg\mhxo.exe
O4 - HKLM\..\Run: [mefc] C:\WINDOWS\System32\yojsco\mefc.exe
O4 - HKLM\..\Run: [rgif] C:\WINDOWS\System32\hxrkgr\rgif.exe
O4 - HKLM\..\Run: [xcrkvu] C:\WINDOWS\System32\qjdt\xcrkvu.exe
O4 - HKLM\..\Run: [odihfl] C:\WINDOWS\System32\bhohktor\odihfl.exe
O4 - HKLM\..\Run: [oocdnjj] C:\WINDOWS\System32\bpapj\oocdnjj.exe
O4 - HKLM\..\Run: [doupdxwv] C:\WINDOWS\System32\chvuxco\doupdxwv.exe
O4 - HKLM\..\Run: [eimn] C:\WINDOWS\System32\iocotj\eimn.exe
O4 - HKLM\..\Run: [phvxbd] C:\WINDOWS\System32\pxdx\phvxbd.exe
O4 - HKLM\..\Run: [yqxjee] C:\WINDOWS\System32\xjwsh\yqxjee.exe
O4 - HKLM\..\Run: [ZMFGXAox] C:\PROGRA~1\wutorsr\pvptqr.exe
O4 - HKLM\..\Run: [vhodigq] C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
O4 - HKLM\..\Run: [qivgboox] C:\WINDOWS\System32\fnxfp\qivgboox.exe
O4 - HKLM\..\Run: [mwtugl] C:\WINDOWS\System32\jcplxih\mwtugl.exe
O4 - HKLM\..\Run: [pjubdprf] C:\WINDOWS\System32\mgft\pjubdprf.exe
O4 - HKLM\..\Run: [rlqka] C:\WINDOWS\System32\onwvixlj\rlqka.exe
O4 - HKLM\..\Run: [cexawejh] C:\WINDOWS\System32\amdhfp\cexawejh.exe
O4 - HKLM\..\Run: [reiu] C:\WINDOWS\System32\yslecioe\reiu.exe
O4 - HKLM\..\Run: [klqf] C:\WINDOWS\System32\kaxkgh\klqf.exe
O4 - HKLM\..\Run: [fdqy] C:\WINDOWS\System32\kpphqn\fdqy.exe
O4 - HKLM\..\Run: [ckbu] C:\WINDOWS\System32\ankjifjj\ckbu.exe
O4 - HKLM\..\Run: [qalkc] C:\WINDOWS\System32\pwxkysx\qalkc.exe
O4 - HKLM\..\Run: [vpnogrfg] C:\WINDOWS\System32\kevxy\vpnogrfg.exe
O4 - HKLM\..\Run: [dcejfgtk] C:\WINDOWS\System32\epvnb\dcejfgtk.exe
O4 - HKLM\..\Run: [ntqjhb] C:\WINDOWS\System32\wvaqvd\ntqjhb.exe
O4 - HKLM\..\Run: [rjctdjfj] C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
O4 - HKLM\..\Run: [nruewxrl] C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O4 - HKLM\..\Run: [ovyft] C:\WINDOWS\System32\hctycvyj\ovyft.exe
O4 - HKLM\..\Run: [rxlg] C:\WINDOWS\System32\nwxdmhx\rxlg.exe
O4 - HKLM\..\Run: [ldkgco] C:\WINDOWS\System32\iduvfc\ldkgco.exe
O4 - HKLM\..\Run: [xbhgbw] C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
O4 - HKLM\..\Run: [xqpyix] C:\WINDOWS\System32\kgxpv\xqpyix.exe
O4 - HKLM\..\Run: [cdpbfu] C:\WINDOWS\System32\eypo\cdpbfu.exe
O4 - HKLM\..\Run: [twehfrag] C:\WINDOWS\System32\jffrknf\twehfrag.exe
O4 - HKLM\..\Run: [vropfh] C:\WINDOWS\System32\dbdexge\vropfh.exe
O4 - HKLM\..\Run: [eyytvw] C:\WINDOWS\System32\jelmu\eyytvw.exe
O4 - HKLM\..\Run: [smrr] C:\WINDOWS\System32\vwwskbjg\smrr.exe
O4 - HKLM\..\Run: [yvay] C:\WINDOWS\System32\anfpsx\yvay.exe
O4 - HKLM\..\Run: [lpxjns] C:\WINDOWS\System32\haxjkjf\lpxjns.exe
O4 - HKLM\..\Run: [fcykrqae] C:\WINDOWS\System32\fejlai\fcykrqae.exe
O4 - HKLM\..\Run: [hiujt] C:\WINDOWS\System32\nucy\hiujt.exe
O4 - HKLM\..\Run: [jyumtrt] C:\WINDOWS\System32\tsjbins\jyumtrt.exe
O4 - HKLM\..\Run: [aiyygr] C:\WINDOWS\System32\otqyprha\aiyygr.exe
O4 - HKLM\..\Run: [keqfe] C:\WINDOWS\System32\aqwf\keqfe.exe
O4 - HKLM\..\Run: [quknrc] C:\WINDOWS\System32\mdcsar\quknrc.exe
O4 - HKLM\..\Run: [jehddo] C:\WINDOWS\System32\cdocmugl\jehddo.exe
O4 - HKLM\..\Run: [xnllgwgh] C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
O4 - HKLM\..\Run: [sqtnm] C:\WINDOWS\System32\dsso\sqtnm.exe
O4 - HKLM\..\Run: [rcyjii] C:\WINDOWS\System32\jimi\rcyjii.exe
O4 - HKLM\..\Run: [qqeqw] C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O4 - HKLM\..\Run: [oqpkn] C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
O4 - HKLM\..\Run: [ihdqj] C:\WINDOWS\System32\pafpk\ihdqj.exe
O4 - HKLM\..\Run: [rnlt] C:\WINDOWS\System32\pirs\rnlt.exe
O4 - HKLM\..\Run: [vysma] C:\WINDOWS\System32\bqclh\vysma.exe
O4 - HKLM\..\Run: [gvoktn] C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
O4 - HKLM\..\Run: [demvb] C:\WINDOWS\System32\ywrfy\demvb.exe
O4 - HKLM\..\Run: [rtdbk] C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\uvknmz.exe reg_run
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [gxhglii] C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
O4 - HKLM\..\Run: [pfoug] C:\WINDOWS\system32\smjvktve\pfoug.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\vnxxow.exe
O4 - HKLM\..\Run: [tjxhzph] c:\windows\system32\jdcuvt.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{039F19FE-3A2A-4507-99C6-F737AD050B12}: NameServer = 205.188.146.145
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: cexawejhamdhfp - Unknown owner - C:\WINDOWS\System32\amdhfp\cexawejh.exe
O23 - Service: dcejfgtkepvnb - Unknown owner - C:\WINDOWS\System32\epvnb\dcejfgtk.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: demvbywrfy - Unknown owner - C:\WINDOWS\System32\ywrfy\demvb.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: eimniocotj - Unknown owner - C:\WINDOWS\System32\iocotj\eimn.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: eyytvwjelmu - Unknown owner - C:\WINDOWS\System32\jelmu\eyytvw.exe
O23 - Service: gsmnyflklrhrlo - Unknown owner - C:\WINDOWS\System32\lrhrlo\gsmnyflk.exe
O23 - Service: hiujtnucy - Unknown owner - C:\WINDOWS\System32\nucy\hiujt.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: klqfkaxkgh - Unknown owner - C:\WINDOWS\System32\kaxkgh\klqf.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: nruewxrlbqwhyme - Unknown owner - C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O23 - Service: ntmcqmoqsgf - Unknown owner - C:\WINDOWS\System32\moqsgf\ntmcq.exe
O23 - Service: oocdnjjbpapj - Unknown owner - C:\WINDOWS\System32\bpapj\oocdnjj.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: qqeqwfbaceoar - Unknown owner - C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O23 - Service: smrrvwwskbjg - Unknown owner - C:\WINDOWS\System32\vwwskbjg\smrr.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: vhodigqpwjrjuqe - Unknown owner - C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
O23 - Service: vnymjxlqxqbfxv - Unknown owner - C:\WINDOWS\System32\qxqbfxv\vnymjxl.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Re: New Log

Unread postby Perculator » May 26th, 2005, 8:36 am

You didn't tell me if the ewidoscan was working.

we're going into safe mode but you don't need to print this out, because the only thing you have to do is run the ewido scan in safe mode and then restart

and I saw Ewido scan is still on your computer, very important is to update the ewido scan.
Update it now!!!
If you don’t have it anymore

Download Ewido scanand update it.
we're going to use it in safe mode after you rebooted into safe mode.

    *Restart the computer in safe mode
    *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.(a black and white screen)
    *Use the arrow keys to select the Safe mode menu item
    *press Enter.



Now run the ewido scan.

restart your computer

run hijack this and place a fresh log on this board, together with the ewidoscan log.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » May 28th, 2005, 5:15 pm

For the 3rd time since I have gotten started on this cleanup, the ewido scan has crashed. It gets to 100% scan and then closes down with an apology for the problem.

I closed the services you requested earlier with no problem. I am sorry to say ewido scan has not worked yet. I did get a highjack this log, and enclose it for your review. Thanks again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 3:10:27 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
C:\WINDOWS\System32\qjdt\xcrkvu.exe
C:\WINDOWS\System32\ywrfy\demvb.exe
C:\WINDOWS\System32\dsso\sqtnm.exe
C:\WINDOWS\System32\bhohktor\odihfl.exe
C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
C:\WINDOWS\System32\chvuxco\doupdxwv.exe
C:\WINDOWS\System32\jimi\rcyjii.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\jcplxih\mwtugl.exe
C:\WINDOWS\System32\mgft\pjubdprf.exe
C:\WINDOWS\System32\onwvixlj\rlqka.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\kpphqn\fdqy.exe
C:\WINDOWS\System32\pwxkysx\qalkc.exe
C:\WINDOWS\System32\kevxy\vpnogrfg.exe
C:\WINDOWS\System32\ywrfy\demvb.exe
C:\WINDOWS\System32\hctycvyj\ovyft.exe
C:\WINDOWS\System32\nwxdmhx\rxlg.exe
C:\WINDOWS\System32\fbaceoar\qqeqw.exe
C:\WINDOWS\System32\iduvfc\ldkgco.exe
C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
C:\WINDOWS\System32\kgxpv\xqpyix.exe
C:\WINDOWS\System32\jffrknf\twehfrag.exe
C:\WINDOWS\System32\dbdexge\vropfh.exe
C:\WINDOWS\System32\haxjkjf\lpxjns.exe
C:\WINDOWS\System32\fejlai\fcykrqae.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\otqyprha\aiyygr.exe
C:\WINDOWS\System32\aqwf\keqfe.exe
C:\WINDOWS\System32\mdcsar\quknrc.exe
C:\WINDOWS\System32\cdocmugl\jehddo.exe
C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
C:\WINDOWS\System32\pafpk\ihdqj.exe
C:\WINDOWS\System32\pirs\rnlt.exe
C:\WINDOWS\System32\bqclh\vysma.exe
C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
C:\WINDOWS\system32\uvknmz.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\vnxxow.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
c:\windows\system32\mwrapi.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HJT\HijackThis.exe
C:\PROGRA~1\Intuit\QUICKB~1\COMPON~1\qbagent\QBMsgMgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgMgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: (no name) - {58359010-BF36-11D3-99A2-0050DA2EE1BE} - (no file)
O2 - BHO: (no name) - {83387907-50A3-C7D5-A44C-1FF0C613BD91} - C:\WINDOWS\System32\kfciynaf\hopwoisr.dll
O2 - BHO: Class - {FF3BB3EB-9FF6-0CC2-8A43-6DD043FE9317} - C:\WINDOWS\mslo32.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SkyH2] C:\DOCUME~1\Owner\LOCALS~1\Temp\pbsuthd.exe
O4 - HKLM\..\Run: [sjkp] C:\WINDOWS\System32\oxsaynow\sjkp.exe
O4 - HKLM\..\Run: [ntmcq] C:\WINDOWS\System32\moqsgf\ntmcq.exe
O4 - HKLM\..\Run: [jtutu] C:\WINDOWS\System32\ybuxb\jtutu.exe
O4 - HKLM\..\Run: [hshatpb] C:\WINDOWS\System32\qboa\hshatpb.exe
O4 - HKLM\..\Run: [evrad] C:\WINDOWS\System32\ynuul\evrad.exe
O4 - HKLM\..\Run: [wsagu] C:\WINDOWS\System32\hahm\wsagu.exe
O4 - HKLM\..\Run: [mhxo] C:\WINDOWS\System32\tlmtptg\mhxo.exe
O4 - HKLM\..\Run: [mefc] C:\WINDOWS\System32\yojsco\mefc.exe
O4 - HKLM\..\Run: [rgif] C:\WINDOWS\System32\hxrkgr\rgif.exe
O4 - HKLM\..\Run: [xcrkvu] C:\WINDOWS\System32\qjdt\xcrkvu.exe
O4 - HKLM\..\Run: [odihfl] C:\WINDOWS\System32\bhohktor\odihfl.exe
O4 - HKLM\..\Run: [oocdnjj] C:\WINDOWS\System32\bpapj\oocdnjj.exe
O4 - HKLM\..\Run: [doupdxwv] C:\WINDOWS\System32\chvuxco\doupdxwv.exe
O4 - HKLM\..\Run: [eimn] C:\WINDOWS\System32\iocotj\eimn.exe
O4 - HKLM\..\Run: [phvxbd] C:\WINDOWS\System32\pxdx\phvxbd.exe
O4 - HKLM\..\Run: [yqxjee] C:\WINDOWS\System32\xjwsh\yqxjee.exe
O4 - HKLM\..\Run: [ZMFGXAox] C:\PROGRA~1\wutorsr\pvptqr.exe
O4 - HKLM\..\Run: [vhodigq] C:\WINDOWS\System32\pwjrjuqe\vhodigq.exe
O4 - HKLM\..\Run: [qivgboox] C:\WINDOWS\System32\fnxfp\qivgboox.exe
O4 - HKLM\..\Run: [mwtugl] C:\WINDOWS\System32\jcplxih\mwtugl.exe
O4 - HKLM\..\Run: [pjubdprf] C:\WINDOWS\System32\mgft\pjubdprf.exe
O4 - HKLM\..\Run: [rlqka] C:\WINDOWS\System32\onwvixlj\rlqka.exe
O4 - HKLM\..\Run: [cexawejh] C:\WINDOWS\System32\amdhfp\cexawejh.exe
O4 - HKLM\..\Run: [reiu] C:\WINDOWS\System32\yslecioe\reiu.exe
O4 - HKLM\..\Run: [klqf] C:\WINDOWS\System32\kaxkgh\klqf.exe
O4 - HKLM\..\Run: [fdqy] C:\WINDOWS\System32\kpphqn\fdqy.exe
O4 - HKLM\..\Run: [ckbu] C:\WINDOWS\System32\ankjifjj\ckbu.exe
O4 - HKLM\..\Run: [qalkc] C:\WINDOWS\System32\pwxkysx\qalkc.exe
O4 - HKLM\..\Run: [vpnogrfg] C:\WINDOWS\System32\kevxy\vpnogrfg.exe
O4 - HKLM\..\Run: [dcejfgtk] C:\WINDOWS\System32\epvnb\dcejfgtk.exe
O4 - HKLM\..\Run: [ntqjhb] C:\WINDOWS\System32\wvaqvd\ntqjhb.exe
O4 - HKLM\..\Run: [rjctdjfj] C:\WINDOWS\System32\wmjsvgnj\rjctdjfj.exe
O4 - HKLM\..\Run: [nruewxrl] C:\WINDOWS\System32\bqwhyme\nruewxrl.exe
O4 - HKLM\..\Run: [ovyft] C:\WINDOWS\System32\hctycvyj\ovyft.exe
O4 - HKLM\..\Run: [rxlg] C:\WINDOWS\System32\nwxdmhx\rxlg.exe
O4 - HKLM\..\Run: [ldkgco] C:\WINDOWS\System32\iduvfc\ldkgco.exe
O4 - HKLM\..\Run: [xbhgbw] C:\WINDOWS\System32\wqoabeby\xbhgbw.exe
O4 - HKLM\..\Run: [xqpyix] C:\WINDOWS\System32\kgxpv\xqpyix.exe
O4 - HKLM\..\Run: [cdpbfu] C:\WINDOWS\System32\eypo\cdpbfu.exe
O4 - HKLM\..\Run: [twehfrag] C:\WINDOWS\System32\jffrknf\twehfrag.exe
O4 - HKLM\..\Run: [vropfh] C:\WINDOWS\System32\dbdexge\vropfh.exe
O4 - HKLM\..\Run: [eyytvw] C:\WINDOWS\System32\jelmu\eyytvw.exe
O4 - HKLM\..\Run: [smrr] C:\WINDOWS\System32\vwwskbjg\smrr.exe
O4 - HKLM\..\Run: [yvay] C:\WINDOWS\System32\anfpsx\yvay.exe
O4 - HKLM\..\Run: [lpxjns] C:\WINDOWS\System32\haxjkjf\lpxjns.exe
O4 - HKLM\..\Run: [fcykrqae] C:\WINDOWS\System32\fejlai\fcykrqae.exe
O4 - HKLM\..\Run: [hiujt] C:\WINDOWS\System32\nucy\hiujt.exe
O4 - HKLM\..\Run: [jyumtrt] C:\WINDOWS\System32\tsjbins\jyumtrt.exe
O4 - HKLM\..\Run: [aiyygr] C:\WINDOWS\System32\otqyprha\aiyygr.exe
O4 - HKLM\..\Run: [keqfe] C:\WINDOWS\System32\aqwf\keqfe.exe
O4 - HKLM\..\Run: [quknrc] C:\WINDOWS\System32\mdcsar\quknrc.exe
O4 - HKLM\..\Run: [jehddo] C:\WINDOWS\System32\cdocmugl\jehddo.exe
O4 - HKLM\..\Run: [xnllgwgh] C:\WINDOWS\System32\eejyvmnd\xnllgwgh.exe
O4 - HKLM\..\Run: [sqtnm] C:\WINDOWS\System32\dsso\sqtnm.exe
O4 - HKLM\..\Run: [rcyjii] C:\WINDOWS\System32\jimi\rcyjii.exe
O4 - HKLM\..\Run: [qqeqw] C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O4 - HKLM\..\Run: [oqpkn] C:\WINDOWS\System32\mnwrfwj\oqpkn.exe
O4 - HKLM\..\Run: [ihdqj] C:\WINDOWS\System32\pafpk\ihdqj.exe
O4 - HKLM\..\Run: [rnlt] C:\WINDOWS\System32\pirs\rnlt.exe
O4 - HKLM\..\Run: [vysma] C:\WINDOWS\System32\bqclh\vysma.exe
O4 - HKLM\..\Run: [gvoktn] C:\WINDOWS\System32\hocaeqgj\gvoktn.exe
O4 - HKLM\..\Run: [demvb] C:\WINDOWS\System32\ywrfy\demvb.exe
O4 - HKLM\..\Run: [rtdbk] C:\WINDOWS\System32\xgfbnlo\rtdbk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\uvknmz.exe reg_run
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [gxhglii] C:\WINDOWS\system32\vqtyuymk\gxhglii.exe
O4 - HKLM\..\Run: [pfoug] C:\WINDOWS\system32\smjvktve\pfoug.exe
O4 - HKLM\..\Run: [shnin] C:\DOCUME~1\Owner\LOCALS~1\Temp\kceu.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\vnxxow.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [lrveif] c:\windows\system32\mwrapi.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: demvbywrfy - Unknown owner - C:\WINDOWS\System32\ywrfy\demvb.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: qqeqwfbaceoar - Unknown owner - C:\WINDOWS\System32\fbaceoar\qqeqw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 326 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware