Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyware infection! Please review my HJT logfile

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Response to MaKaVeLi

Unread postby arqa » December 12th, 2005, 1:42 pm

Tried to e-mail you a copy of the file, but it bounced...
May I attach the file within this forum?
arqa
Regular Member
 
Posts: 55
Joined: December 1st, 2005, 1:21 am
Advertisement
Register to Remove

Unread postby MaKaVeLi » December 12th, 2005, 4:15 pm

You can upload it to the following site and put my email as the Recipient email address:

http://www.yousendit.com/

Or you can upload it to here and pm me the link:

http://rapidshare.de/
User avatar
MaKaVeLi
Regular Member
 
Posts: 263
Joined: July 4th, 2005, 5:46 pm
Location: USA

Unread postby MaKaVeLi » December 13th, 2005, 4:22 pm

Download the keylogger remover here: http://research.sunbelt-software.com/ssaclean.cfm (ignore what it says and download it anyway) and save it to your desktop. Now double click on SSACleaner.exe and hit Check System. When it's finished scanning save the log to a Notepad file.

Run HijackThis and put a check next to the following lines:

R3 - URLSearchHook: (no name) - {004E5031-F379-36E7-C64E-2F646F11EB4C} - C:\WINDOWS\Ylpyczxj.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {35AF1B0D-BB36-11B8-8720-16550B86281A} - C:\WINDOWS\SYSTEM\IOK.DLL (file missing)
O2 - BHO: (no name) - {40531B38-BE86-9072-4037-188D011E16C5} - C:\WINDOWS\Ylpyczxj.dll
O2 - BHO: (no name) - {14F01645-ADDB-9559-80BE-F40A7209F49F} - C:\WINDOWS\SYSTEM\UYHGNRR.DLL (file missing)
O2 - BHO: (no name) - {19F01243-ADDE-925A-80CD-820A747DF49E} - C:\WINDOWS\SYSTEM\UYHGNRR.DLL (file missing)
O2 - BHO: (no name) - {20DD2241-80EE-A66C-AD8B-C0274239D9AF} - C:\WINDOWS\SYSTEM\UYHGNRR.DLL (file missing)
O2 - BHO: (no name) - {FF3C9AB9-7D75-3FA4-7D56-71C2CF244695} - C:\WINDOWS\SYSTEM\EKHOLEP.DLL (file missing)
O2 - BHO: (no name) - {FB3C9EB5-7D79-4EA4-7D21-7DC2BE564696} - C:\WINDOWS\SYSTEM\EKHOLEP.DLL (file missing)
O2 - BHO: (no name) - {9945A8B8-5F13-2ECB-5014-49EF8E666BA6} - C:\WINDOWS\SYSTEM\EKHOLEP.DLL (file missing)
O2 - BHO: (no name) - {372D100A-FE95-BC17-C6DD-A95F86B5DD9D} - C:\WINDOWS\SYSTEM\RHATK.DLL (file missing)
O2 - BHO: (no name) - {3365BE9F-520B-17D1-0261-5200C3BE8B9A} - C:\WINDOWS\SYSTEM\WAWIKALW.DLL (file missing)
O2 - BHO: (no name) - {865B860C-319E-7B42-9178-33A6F9DD3991} - C:\WINDOWS\SYSTEM\QUTLENRA.DLL (file missing)
O2 - BHO: (no name) - {C10B6C45-83D3-9F09-D97C-83ADA9C922C3} - C:\WINDOWS\SYSTEM\COFMETV.DLL (file missing)
O2 - BHO: (no name) - {AFE14282-AC15-BFCE-1C80-FC5A161A48CE} - C:\WINDOWS\SYSTEM\HVJICJOC.DLL (file missing)
O2 - BHO: (no name) - {CD5178B5-952F-DDA1-7426-C609F3642392} - C:\WINDOWS\SYSTEM\OLPS.DLL (file missing)
O2 - BHO: (no name) - {E476C9D9-2448-1099-1AB7-2477A5C1599E} - C:\WINDOWS\SYSTEM\QOR.DLL (file missing)
O2 - BHO: (no name) - {E076CDD5-2444-6199-1AC0-2877D4B3599D} - C:\WINDOWS\SYSTEM\QOR.DLL (file missing)
O2 - BHO: (no name) - {33BD2248-988D-AF01-82FE-C06934F889CE} - C:\WINDOWS\SYSTEM\DWOEO.DLL (file missing)
O2 - BHO: (no name) - {37BD2644-9881-DE01-8289-CC69458A89CD} - C:\WINDOWS\SYSTEM\DWOEO.DLL (file missing)
O2 - BHO: (no name) - {60B62541-C0D4-FE00-82FE-C06934F889CF} - C:\WINDOWS\SYSTEM\DWOEO.DLL (file missing)
O2 - BHO: (no name) - {64B6214D-C0D8-8F00-8289-CC69458A89CC} - C:\WINDOWS\SYSTEM\DWOEO.DLL (file missing)
O2 - BHO: (no name) - {73816D1E-83D6-EF5A-831E-DE1853AC9299} - C:\WINDOWS\SYSTEM\YBNMGUIA.DLL
O3 - Toolbar: Search - {B3C0AC9A-99DF-B2B0-8931-1CCF05329885} - C:\WINDOWS\Ylpyczxj.dll
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\SYSTEM\mmxp2passion.exe
O4 - HKLM\..\Run: [MediaGateway.exe] C:\WINDOWS\SYSTEM\MediaGateway.exe
O4 - HKLM\..\Run: [mediapluscash.exe] C:\WINDOWS\SYSTEM\mediapluscash.exe
O4 - HKLM\..\Run: [cashplusmedia.exe] C:\WINDOWS\SYSTEM\cashplusmedia.exe
O4 - HKLM\..\Run: [YVIBRVB] C:\WINDOWS\YVIBRVB.exe
O4 - HKLM\..\Run: [cashplusmedia1.exe] C:\WINDOWS\SYSTEM\cashplusmedia1.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\winldra.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSIns ... a_ie_2.adp
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom2.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFi ... nstall.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nosunex.mht!http://daemonlinks.net/script/ys.chm::/ysb_regular.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/downl ... TING32.cab
O16 - DPF: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - http://66.194.67.102/banner/with-report ... nerads.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://213.158.119.23/script/lc.chm::/bridge-c46.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0009.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.138,85.255.112.13

Make sure no programs or windows are open and click Fix checked.

Delete the following files (if present):

C:\WINDOWS\Ylpyczxj.dll
C:\WINDOWS\SYSTEM\IOK.DLL
C:\WINDOWS\SYSTEM\UYHGNRR.DLL
C:\WINDOWS\SYSTEM\EKHOLEP.DLL
C:\WINDOWS\SYSTEM\RHATK.DLL
C:\WINDOWS\SYSTEM\WAWIKALW.DLL
C:\WINDOWS\SYSTEM\QUTLENRA.DLL
C:\WINDOWS\SYSTEM\COFMETV.DLL
C:\WINDOWS\SYSTEM\HVJICJOC.DLL
C:\WINDOWS\SYSTEM\OLPS.DLL
C:\WINDOWS\SYSTEM\QOR.DLL
C:\WINDOWS\SYSTEM\DWOEO.DLL
C:\WINDOWS\SYSTEM\YBNMGUIA.DLL
C:\WINDOWS\SYSTEM\mmxp2passion.exe
C:\WINDOWS\SYSTEM\MediaGateway.exe
C:\WINDOWS\SYSTEM\mediapluscash.exe
C:\WINDOWS\YVIBRVB.exe
C:\WINDOWS\SYSTEM\cashplusmedia1.exe
C:\WINDOWS\SYSTEM\winldra.exe

Delete the following folder (if present):

C:\Program Files\UnSpyPC\

Now reboot and post a new HijackThis log and the log from the SSACleaner.
User avatar
MaKaVeLi
Regular Member
 
Posts: 263
Joined: July 4th, 2005, 5:46 pm
Location: USA

Waiting for response from MaKaVeLi

Unread postby arqa » December 15th, 2005, 11:59 am

Hello MaKaVeLi,

I wonder if you got the file...
I sent it last Monday.
I'm waiting for new directions
Please advise, thanks.
arqa
Regular Member
 
Posts: 55
Joined: December 1st, 2005, 1:21 am

Unread postby MaKaVeLi » December 15th, 2005, 4:34 pm

Yeah I got the file and posted my directions above but getting help at 2 forums is not a good way to clean your system. It wastes all of the helper's time.

http://forums.techguy.org/security/4236 ... -help.html

Please choose to continue here or over there.
User avatar
MaKaVeLi
Regular Member
 
Posts: 263
Joined: July 4th, 2005, 5:46 pm
Location: USA

Response to MaKaVeLi

Unread postby arqa » December 15th, 2005, 4:58 pm

Hello MaKaVeLi,

That's another PC...
Sorry for the confussion :(
arqa
Regular Member
 
Posts: 55
Joined: December 1st, 2005, 1:21 am

Unread postby arqa » December 15th, 2005, 7:15 pm

I downloaded SSACleaner, but couldn't run program

"A required DLL file PSAPI.dll was not found"

windows cannot access....

Do I run HJT and Fix anyway?
arqa
Regular Member
 
Posts: 55
Joined: December 1st, 2005, 1:21 am

Re: Response to MaKaVeLi

Unread postby MaKaVeLi » December 15th, 2005, 8:07 pm

arqa wrote:Hello MaKaVeLi,

That's another PC...
Sorry for the confussion :(


That was an error on my part. That was pointed out by another user on the forum.

arqa wrote:I downloaded SSACleaner, but couldn't run program

"A required DLL file PSAPI.dll was not found"

windows cannot access....

Do I run HJT and Fix anyway?


Yeah skip the SSACleaner and go to the HijackThis fixes. We'll come back to it later. You have more important infections that need cleaned up.
User avatar
MaKaVeLi
Regular Member
 
Posts: 263
Joined: July 4th, 2005, 5:46 pm
Location: USA

New HJT log

Unread postby arqa » December 16th, 2005, 12:03 am

Logfile of HijackThis v1.99.1
Scan saved at 10:07:28 PM, on 12/15/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\SPDEVSAW.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\NETGEAR\MA111 CONFIGURATION UTILITY\WLANCFG4.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\SNSS\SNSS.EXE
C:\WINDOWS\SYSTEM\RRDSREGO.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM\SPDEVSAW.EXE DO0605
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [{00-0A-A0-0D-ZN}] C:\WINDOWS\SYSTEM\RRDSREGO.EXE DEFAULT
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM\spdevsaw.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Add to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/ ... review.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/



Now, I still see certain .exe files (applications) in C:\WINDOWS\SYSTEM that seem suspicious
all dated from the last 2 months

xongol
ysysyv6d
ysysyv2d
WinDy
Vvxixb
ventura-hot_246765
VB2
vxgamet4
spdevsaw
SetupCasino
Setup2121
Setup1052
rrdsrego
qvxgamet3
ride5.0
idemlog
ihoodf (older)
filesafer23
esysehiz
dun
dist001
BPCPOST
blizex6

and others (also dll, ico,etc) ...

NewWXIXBu2 (XML document) What are these XML documents?

Should I delete them as well?

Please let me know what to do next. Thanks:)
arqa
Regular Member
 
Posts: 55
Joined: December 1st, 2005, 1:21 am

Unread postby MaKaVeLi » December 16th, 2005, 4:33 pm

Hi arqa,

Did you delete other lines in your HijackThis log or run any anti-spyware apps like Ad-Aware or Spybot recently?

Edit: Well I found your log over here:

http://forum.us.dell.com/supportforums/ ... ing&page=1

So now this post will be closed.
User avatar
MaKaVeLi
Regular Member
 
Posts: 263
Joined: July 4th, 2005, 5:46 pm
Location: USA

Unread postby NonSuch » December 16th, 2005, 6:01 pm

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums.

In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby ChrisRLG » December 17th, 2005, 10:21 am

re opened on email request.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

New HJT log

Unread postby arqa » December 17th, 2005, 1:25 pm

Hello MaKaVeLi,

I run Ad-Aware every other day, and Spybot once a week.

Here's a new HJT log, please advice.

Logfile of HijackThis v1.99.1
Scan saved at 12:21:52 PM, on 12/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SNSS\SNSS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\NETGEAR\MA111 CONFIGURATION UTILITY\WLANCFG4.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM\SPDEVSAW.EXE DO0605
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [{00-0A-A0-0D-ZN}] C:\WINDOWS\SYSTEM\RRDSREGO.EXE DEFAULT
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM\spdevsaw.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Add to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/ ... review.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0322.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/

Thank you.
arqa
Regular Member
 
Posts: 55
Joined: December 1st, 2005, 1:21 am

Unread postby MaKaVeLi » December 17th, 2005, 4:30 pm

Are you still getting help over here because it's the same log.

http://forum.us.dell.com/supportforums/ ... ing&page=1
User avatar
MaKaVeLi
Regular Member
 
Posts: 263
Joined: July 4th, 2005, 5:46 pm
Location: USA

HJT log

Unread postby arqa » December 17th, 2005, 4:37 pm

No, this is the message sent to Admin:

My first post was @ Dell forum, and ky331 (who also seems to be part of your group) recommended to me to turn to this one to try to get advice... and that's how I started here.
Then a new response to that post came, while I was already in touch with you.
But there wasn't something planned.
Anyway, I'd rather continue my logs thru this forum and get to the root of the problem.

Thanks.
arqa
Regular Member
 
Posts: 55
Joined: December 1st, 2005, 1:21 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 273 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware