Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

In need of serious help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

In need of serious help

Unread postby Salvation138 » May 28th, 2007, 11:08 pm

Recently my computer has become overrun with spyware and other garbage that is ruining this machine. It started out as IE popups, and now IE won't even open anymore. I can't access My Computer, My Documents, anything. I've already removed a few files I know were malicious with HijackThis (made backups just in case). I really need my computer to be fixed, because I need to be able to access these parts of my computer.

Here's my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:04:48 PM, on 5/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\System32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\wuauclt.exe
E:\WINNT\TPPALDR.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
E:\WINNT\bsgbzsoA.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINNT\svchost.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINNT\system32\Explorer.exe
E:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
E:\WINNT\explorer.exe
E:\WINNT\System32\MsiExec.exe
E:\Documents and Settings\Rich Chalfin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Optimum Online] E:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] E:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPP Auto Loader] E:\WINNT\tppaldr.exe
O4 - HKLM\..\Run: [msnappau] "E:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ntdll.dll] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bsgbzsoA] E:\WINNT\bsgbzsoA.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "E:\WINNT\system32\cexvpjll.dll",realset
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [RealPlayer] "E:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [A00F91F13.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F91F13.exe
O4 - HKCU\..\Run: [A00F930CC.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F930CC.exe
O4 - HKCU\..\Run: [A00F94067.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F94067.exe
O4 - HKCU\..\Run: [A00F83FB5.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F83FB5.exe
O4 - HKCU\..\Run: [A00F84CA8.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F84CA8.exe
O4 - HKCU\..\Run: [A00F84E24.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F84E24.exe
O4 - HKCU\..\Run: [xrunwin] E:\WINNT\svchost.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - E:\WINNT\dls0523pmw.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Salvation138
Active Member
 
Posts: 6
Joined: May 28th, 2007, 10:58 pm
Advertisement
Register to Remove

Unread postby askey127 » May 29th, 2007, 6:25 am

Salvation138,
Rename HiJackThis.exe to Scanner.exe
One of these infections corrupts the log content if it sees the name HiJackThis.exe
-----------------------------------------------------------
Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.

Double-click ATF-Cleaner.exe or your shortcut to run the program.
Under Main, choose Select All
Click Empty Selected

If you use Firefox browser,
Click Firefox at the top and choose Select All
Click on Empty Selected
NOTE: If you would like to keep any saved passwords, please click No at the prompt.
Click Exit to close.
------------------------------------------------------------
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log by running Scanner.exe
    In your case the vundofix.txt file may be located in E:\
    Search for it if necessary.

Note: It is possible that VundoFix will encounter a file it cannot remove.
In that case, VundoFix will run on reboot. Simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

To summarize, we will be looking for the contents from vundofix.txt and a new log from Scanner.exe in your next reply.
Please also tell me if this computer is connected to a company or other network.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Salvation138 » May 29th, 2007, 2:49 pm

Well, I downloaded ATF Cleaner, but every time I go to use it, after about 5 seconds it stops responding. I got it to work for the Firefox part, but it won't work for the main one.
Salvation138
Active Member
 
Posts: 6
Joined: May 28th, 2007, 10:58 pm

Unread postby Salvation138 » May 29th, 2007, 2:53 pm

Scratch that last post...I got it to work. Running VundoFix now.
Salvation138
Active Member
 
Posts: 6
Joined: May 28th, 2007, 10:58 pm

Unread postby Salvation138 » May 30th, 2007, 4:53 pm

OK, took a while but it's done. Here's my VundoFix log.

VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 2:51:23 PM 5/29/2007

Listing files found while scanning....

E:\WINNT\system32\cbxxywu.dll
E:\WINNT\system32\cexvpjll.dll
E:\WINNT\system32\lljpvxec.ini
E:\WINNT\system32\lvffsryl.dll
E:\WINNT\system32\pfocaxaw.dll
E:\WINNT\system32\stutv.bak1
E:\WINNT\system32\stutv.bak2
E:\WINNT\system32\stutv.ini
E:\WINNT\system32\vtuts.dll
E:\WINNT\system32\yygwvwca.dll

Beginning removal...

Attempting to delete E:\WINNT\system32\cbxxywu.dll
E:\WINNT\system32\cbxxywu.dll Has been deleted!

Attempting to delete E:\WINNT\system32\cexvpjll.dll
E:\WINNT\system32\cexvpjll.dll Has been deleted!

Attempting to delete E:\WINNT\system32\lljpvxec.ini
E:\WINNT\system32\lljpvxec.ini Has been deleted!

Attempting to delete E:\WINNT\system32\lvffsryl.dll
E:\WINNT\system32\lvffsryl.dll Has been deleted!

Attempting to delete E:\WINNT\system32\pfocaxaw.dll
E:\WINNT\system32\pfocaxaw.dll Has been deleted!

Attempting to delete E:\WINNT\system32\stutv.bak1
E:\WINNT\system32\stutv.bak1 Has been deleted!

Attempting to delete E:\WINNT\system32\stutv.bak2
E:\WINNT\system32\stutv.bak2 Has been deleted!

Attempting to delete E:\WINNT\system32\stutv.ini
E:\WINNT\system32\stutv.ini Has been deleted!

Attempting to delete E:\WINNT\system32\vtuts.dll
E:\WINNT\system32\vtuts.dll Has been deleted!

Attempting to delete E:\WINNT\system32\yygwvwca.dll
E:\WINNT\system32\yygwvwca.dll Has been deleted!

Performing Repairs to the registry.
Done!

And the HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:52:55 PM, on 5/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\System32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\tppaldr.exe
E:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINNT\bsgbzsoA.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINNT\svchost.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\WINNT\system32\wuauclt.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINNT\system32\Explorer.exe
E:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
E:\Documents and Settings\Rich Chalfin\Desktop\Scanner.exe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {0A6A113E-50BF-418F-D5A5-8902307985F6} - E:\Program Files\Microsoft Office\lavuhaxo.dll
O2 - BHO: (no name) - {13CBDC75-23B7-4676-BD48-34A43BAA1C69} - (no file)
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - E:\WINNT\system32\cbxxywu.dll (file missing)
O2 - BHO: PsapiAnalyzer Object - {489263D0-1E71-4B29-B4D1-46DAA5856DF7} - e:\winnt\driver cache\dnsurl.dll
O2 - BHO: (no name) - {49AA6527-CF40-50E7-D577-64550CF32B41} - (no file)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - E:\WINNT\system32\efpcnyxq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - E:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {95F44196-1612-47E4-8A5E-103CD1DAC730} - E:\WINNT\system32\pdotbjvg.dll
O2 - BHO: (no name) - {AE969692-0A93-4511-BE2B-BDC38F04B650} - E:\WINNT\system32\vtuts.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Optimum Online] E:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] E:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TPP Auto Loader] E:\WINNT\tppaldr.exe
O4 - HKLM\..\Run: [msnappau] "E:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ntdll.dll] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bsgbzsoA] E:\WINNT\bsgbzsoA.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [RealPlayer] "E:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [A00F91F13.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F91F13.exe
O4 - HKCU\..\Run: [A00F930CC.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F930CC.exe
O4 - HKCU\..\Run: [A00F94067.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F94067.exe
O4 - HKCU\..\Run: [A00F83FB5.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F83FB5.exe
O4 - HKCU\..\Run: [A00F84CA8.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F84CA8.exe
O4 - HKCU\..\Run: [A00F84E24.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F84E24.exe
O4 - HKCU\..\Run: [xrunwin] E:\WINNT\svchost.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O20 - Winlogon Notify: CLSID - E:\WINNT\
O20 - Winlogon Notify: __c00896F4 - E:\WINNT\system32\__c00896F4.dat
O20 - Winlogon Notify: __c009AA40 - E:\WINNT\system32\__c009AA40.dat
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - E:\WINNT\dls0523pmw.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Salvation138
Active Member
 
Posts: 6
Joined: May 28th, 2007, 10:58 pm

Unread postby askey127 » May 30th, 2007, 6:58 pm

Salvation138,
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
-----------------------------------------------------------
Set Your Computer to Show All Files
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading, select Show hidden files and folders.
  6. Uncheck Hide protected operating system files (recommended).
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Stop Processes Prior to Deletion
Close ALL open windows. Use Ctrl-Alt-Delete together to bring up the task manager.
Under the processes tab, if it is visible, check the box 'Show processes from all users'.
Highlight this one and "End Process":
bsgbzsoA.exe
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O2 - BHO: (no name) - {13CBDC75-23B7-4676-BD48-34A43BAA1C69} - (no file)
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - E:\WINNT\system32\cbxxywu.dll (file missing)
O2 - BHO: PsapiAnalyzer Object - {489263D0-1E71-4B29-B4D1-46DAA5856DF7} - e:\winnt\driver cache\dnsurl.dll
O2 - BHO: (no name) - {49AA6527-CF40-50E7-D577-64550CF32B41} - (no file)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - E:\WINNT\system32\efpcnyxq.dll
O2 - BHO: (no name) - {95F44196-1612-47E4-8A5E-103CD1DAC730} - E:\WINNT\system32\pdotbjvg.dll
O2 - BHO: (no name) - {AE969692-0A93-4511-BE2B-BDC38F04B650} - E:\WINNT\system32\vtuts.dll (file missing)
O4 - HKLM\..\Run: [Optimum Online] E:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [bsgbzsoA] E:\WINNT\bsgbzsoA.exe
O4 - HKCU\..\Run: [A00F91F13.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F91F13.exe
O4 - HKCU\..\Run: [A00F930CC.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F930CC.exe
O4 - HKCU\..\Run: [A00F94067.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F94067.exe
O4 - HKCU\..\Run: [A00F83FB5.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F83FB5.exe
O4 - HKCU\..\Run: [A00F84CA8.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F84CA8.exe
O4 - HKCU\..\Run: [A00F84E24.exe] E:\DOCUME~1\RICHCH~1\LOCALS~1\Temp\_A00F84E24.exe
O20 - Winlogon Notify: CLSID - E:\WINNT\
O20 - Winlogon Notify: __c00896F4 - E:\WINNT\system32\__c00896F4.dat
O20 - Winlogon Notify: __c009AA40 - E:\WINNT\system32\__c009AA40.dat

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked.
-----------------------------------------------------------
Stop, Disable and Delete A Service
Go to Start, Run OR Start, Programs, Accessories, Command Prompt and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find the service. The service name is the item in Parentheses in the O23 line.
NetAgent
Click once on the service to highlight it.
Right-Click on the service. Click on Properties
Select the General tab.
Next to Service Status, click Stop.
Click the Arrow-down tab on the right-hand side of the Start-up Type box.
From the drop-down menu, click on Disabled
Click Apply , then OK[/quote]

Delete the Service
Open HiJackThis. Click on Config, Misc Tools, Delete an NT Service
Type NetAgent in the space provided and click OK
The program will ask you to REBOOT --- Accept and boot into Safe Mode per below.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
-----------------------------------------------------------
Try to run ATFcleaner again, Select All, Remove All.
-----------------------------------------------------------
File and Folder Deletion.
In Windows Explorer (My Computer), navigate to the files/ folders shown below, select View, Details, and Delete the listed items, if found. Some may be missing.
Be careful not to delete any file without double-checking the spelling of the filename.
In the case of a folder removal, you may have to delete all the underlying files and folders before an entire folder can be deleted.

E:\WINNT\dls0523pmw.exe
E:\WINNT\bsgbzsoA.exe
E:\WINNT\system32\cbxxywu.dll
E:\WINNT\driver cache\dnsurl.dll
E:\WINNT\system32\efpcnyxq.dll
E:\WINNT\system32\pdotbjvg.dll
E:\Program Files\Optimum Online\ <== this entire folder

If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the filename is in there, highlight it and click End Process, then retry Delete.
Note the name and location of any item you cannot delete.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Salvation138 » May 30th, 2007, 10:44 pm

Only one problem with this, and that is the fact that I cannot access My Computer. It's not under the Start menu for me, and I can't get to it by clicking on the desktop. If I try to run anything in IE, the screen goes blank for a few seconds, and then nothing happens.

I appreciate your help very much, but I feel like my computer's almost beyond repair. I'm not able to get my computer to show all files because of this.
Salvation138
Active Member
 
Posts: 6
Joined: May 28th, 2007, 10:58 pm

Unread postby askey127 » May 31st, 2007, 6:18 am

See if you can Boot the machine into Safe Mode by repetitively tapping F8 as soon as you hear the first beep, and choosing Safe Mode from the menu.
Then check to see if you can locate "My Computer". Alternatively, if you can get Start, Run to work, you can activate Windows explorer by typing E:\WINNT\explorer.exe

I notice this system drive is on E: Is this a multi-boot system?
Do you have your upgrade CD?

I see you have also posted for help at SWI. We are all volunteers at the help forums, and multiple posting takes the volunteer time away from other victims. If you would prefer to work at SWI, let me know. Otherwise let them know.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Salvation138 » May 31st, 2007, 11:15 pm

Sorry--I don't know too much about computers but I just don't feel safe deleting some of those files, they seem like they'd be important. I'm also finding myself unable to follow some of your requests, as certain things just don't exist. You can close this thread, sorry for wasting your time.
Salvation138
Active Member
 
Posts: 6
Joined: May 28th, 2007, 10:58 pm
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware