Help! I've read some of these threads and I think I have the Aurora

**LiL LT** · 06-26-2005, 11:11 AM

Hi,

I've also run (several times) Adadware SE, Spybot S&D, AVG anti virus, and have run RegCleaner, and HiJack this. I've tried to delete the files that a) I've been told by the above programs are problematic, b) look somewhat suspicious. However, many of these files keep reappearing. AVG does try to get rid of them, but they seem to multiply. BTW, I've been running NAV on my laptop since I asked a knowledgeable friend to do a rebuild for me. I've been using its automatic live update and the last one I got was on 6/22/05. NAV didn't seem to detect this virus at all. That is why I downloaded AVG. Since I've run that and Adaware and Spybot a few times, it actually seems better but I'm still getting popups, and AVG detects the same files (nail, DrPmon, svcproc, etc) on boot and or running of IE.

I have my last HJT log. Can you give me some advice.

Thanks,
Ronni

**LiL LT** · 06-26-2005, 12:16 PM

It occurred you may need this!

Logfile of HijackThis v1.99.0
Scan saved at 12:42:59 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\klaapm.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
c:\windows\system32\dzkxtr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\plusvr.exe
C:\WINDOWS\System32\psipromn.exe
C:\Program Files\Aprps\CxtPls.exe
C:\hjt\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsv275.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mtflnn] c:\windows\system32\dzkxtr.exe r
O4 - HKLM\..\Run: [0snS3mX] psipromn.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKCU\..\Run: [HB42Rgb7U] plusvr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

MicroBell · 06-27-2005, 01:54 AM

Ack...you got several nasty ones. We will attack them in steps.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point.

STEP 1......................................

Download Process Explorer from http://www.sysinternals.com/Utilitie...sExplorer.html

Run Process Explorer and find this Process in the list of Processes.

c:\windows\system32\dzkxtr.exe

Select the process and click Process > Suspend.

Then run hijackthis and in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file c:\windows\system32\dzkxtr.exe
When prompted if you want to reboot click YES

**IMPORTANT**
Leave Process explorer running with the process suspended. If you end it..the fix will fail.

ONce you reboot proceed below..

Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\System32\klaapm.exe
C:\WINDOWS\System32\plusvr.exe
C:\WINDOWS\System32\psipromn.exe
C:\Program Files\Aprps\CxtPls.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsv275.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [mtflnn] c:\windows\system32\dzkxtr.exe r
O4 - HKLM\..\Run: [0snS3mX] psipromn.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKCU\..\Run: [HB42Rgb7U] plusvr.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\WINDOWS\System32\klaapm.exe
C:\WINDOWS\System32\plusvr.exe
C:\WINDOWS\System32\psipromn.exe
C:\Program Files\Aprps\CxtPls.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\nsv275.dll
C:\WINDOWS\System32\richedtr.dll
C:\WINDOWS\System32\klaapm.exe
C:\WINDOWS\System32\richup.exe
C:\Program Files\Cas\Client\casmf.dll

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once done...reboot back to normal windows...

STEP 2...............................................

Download, install, and update Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Please download nailfix at
http://www.noidea.us/easyfile/file.p...50515010747824
Unzip it to the desktop but do NOT run it yet.

Download Rkfiles.zip http://skads.org/special/rkfiles.zip
UNZIP the contents to a permanent folder on your desktop.

Download the following attachment remv3.zip http://forums.skads.org/index.php?showtopic=80
Make a folder on the root drive C:\ and unzip the files into it.

STEP 3............................................................

Reboot into safe mode!!

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next...
[*]Run Ewido.[*]Click on scanner[*]Make sure the following boxes are checked before scanning:

Binder

Crypter

Archives

[*]Click on Start Scan[*]Let the program scan the machine[/list]While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report[list][*]Click Save report[*]Save the report to your desktop[*]Exit Ewido

Double click rkfiles.bat
It will scan for a while, so please be patient.
Wait till the dos window closes.
Open the C:\log.txt it created and rename it log1.txt.

Now Open the folder were you saved remv3.zip files and click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tool before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the following logs...

Remv3 (log.txt) log
Rkfiles (log1.txt) log
Hijackthis log
Ewido scan log

sUBs · 06-27-2005, 02:20 AM

sorry - posted in the wrong thread

**LiL LT** · 06-27-2005, 08:46 PM

Hey Microbell,
Thanks for getting back to me. I have a problem though, I got to this step:

Run Process Explorer and find this Process in the list of Processes.

c:\windows\system32\dzkxtr.exe

and I couldn't find this file in the process. In fact I couldn't tell if any of the files were system 32 - maybe I need to configure Process Explorer a certain way?

Anyway - I discovered that if I connect to the Internet this thing just keeps on exploding. Here is my latest HJT log which I ran after downloading Process Explorer and trying to run it, shutting down and restarting w/o my internet connection.

Logfile of HijackThis v1.99.0
Scan saved at 9:24:07 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\klaapm.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\psipromn.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\u5cg6g0o.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\plusvr.exe
c:\windows\system32\hhwqqi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Aprps\CxtPls.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsv275.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [0snS3mX] psipromn.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [u5cg6g0o] C:\WINDOWS\System32\u5cg6g0o.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [puvusj] c:\windows\system32\hhwqqi.exe r
O4 - HKCU\..\Run: [HB42Rgb7U] plusvr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxy.mht!http://elitegate.de/script/lc.chm::/Bridge-c139.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nosuxxx.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---

the file you originally thought I should suspend doesn't seem to be there anymore. So tell me the truth...am I totally screwed?

Thanks!

**LiL LT** · 06-27-2005, 08:50 PM

Just in case you were wondering, I'm not on my computer now. Won't dare plug the connection back in!!

sUBs · 06-28-2005, 12:05 AM

No..You are not screwed...yet

The reason why you weren't to find it with Process Explorer is because it has changed it's identity. In your current log, it's known as c:\windows\system32\hhwqqi.exe

Let's take another crack at it...

~~~~~~~~~~~~~~~

We require some additional files/programs for this fix. Please download the following files :-
Do not run any of the files unless instructed to do so

Download & RUN FxIstbar.exe

Disconnect your computer from the Internet when you have finished downloading.

~~~~~~~~~~~~~~~

Uninstall the following programs using Control Panel>Add/Remove Programs :

CtxPls
Media Access
YourSite
SurfAccuracy

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & locate an O4 entry that looks similar to this...

O4 - HKLM\..\Run: [puvusj] c:\windows\system32\hhwqqi.exe r

The name might be different but it resides in the system32 folder & has the alphabet "r" at the end. Close HiJackThis after you have identified this file. This is the file we need to use Process Explorer with.

Run Process Explorer and find name & location of the file you've just identified in the list of Processes.
Select the process and click Process > Suspend.
Leave Process Explorer running with the process suspended.

~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

name & location of the file you've just identified
C:\WINDOWS\System32\psipromn.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\u5cg6g0o.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\plusvr.exe
c:\windows\system32\hhwqqi.exe
C:\Program Files\Aprps\CxtPls.exe
C:\WINDOWS\cfgmgr52.dll
C:\Program Files\Aprps\cxtpls.dll
C:\WINDOWS\System32\nsv275.dll
C:\WINDOWS\System32\richedtr.dll
C:\Program Files\YourSiteBar\ysb.dll
C:\WINDOWS\System32\klaapm.exe reg_run
C:\WINDOWS\System32\richup.exe
C:\Program Files\Power Scan\powerscan.exe
C:\Program Files\Cas\Client\casmf.dll

Start KillBox.

Go to the File menu, and choose "Paste from Clipboard".
Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
Select/tick the following:
- "Delete on Reboot"
- "End Explorer Shell While Killing File"
- "Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

~~~~~~~~~~~~~~~

Reboot to Safe Mode

Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
Windows Advanced Options menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~~

Run a scan with HiJackThis & select(tick) the following & click "Fix checked" :

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsv275.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [0snS3mX] psipromn.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [u5cg6g0o] C:\WINDOWS\System32\u5cg6g0o.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [puvusj] c:\windows\system32\hhwqqi.exe r
O4 - HKCU\..\Run: [HB42Rgb7U] plusvr.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxy.mht!http://elitegate.de/script/lc.chm::/Bridge-c139.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nosuxxx.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

~~~~~~~~~~~~~~~

Locate and delete the following folder(s), if present:

C:\Program Files\Aprps\
C:\Program Files\Cas\
C:\Program Files\SurfAccuracy\
C:\Program Files\Media Access\
C:\Program Files\YourSiteBar\
C:\Program Files\Power Scan\

~~~~~~~~~~~~~~~

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

Click "Options..."
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click "OK"
Press the "CleanUp!" button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders

Double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Post the contents of both the log.txt and log1.txt in your next post

~~~~~~~~~~~~~~~

Reboot to Normal Mode.

Do an online scan at one of the following sites:

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Reboot Again & Run a new scan with HiJackThis. Save the log file and run KRC HiJackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

In your next post, please include:

Copy of KRC HiJackThis Analyzer log
List of files that online scans failed to disinfect
Remv3 & rkfiles logs

Please provide details of any problems you encountered whilst performing the above steps.

**LiL LT** · 06-29-2005, 07:56 PM

Thank you!

Did almost everything to your specifications, except I forgot to uncheck scan local drives when I ran CleanUp. It seems to be running much better. I still get some pop-ups, but nothing like before! What is my next steip?

Here are the latest log files:

Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 9:30:46 PM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\klaapm.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

End of KRC HijackThis Analyzer Log.
====================================================================
Rem3 logs:

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is ACE5-E102

Directory of C:\WINDOWS\system32

msi.dll
Finished

The batch is run from -- C:\Downtemp
=========================================
rkfiles:

C:\Downtemp

============

Files Panda would not delete: (I hope this listing isn't too obnoxious)

Incident Status Location

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\eykkiup.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\klaapm.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/PowerScan No disinfected C:\Documents and Settings\Veronica Rowan\Start Menu\Programs\Power Scan
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\SahImages
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Betting.lnk
Adware:Adware/BookedSpace No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\Veronica Rowan\Start Menu\Programs\AdDestroyer
Adware:Adware/WUpd No disinfected C:\WINDOWS\System32\ide21201.vxd
Adware:Adware/EliteBar No disinfected Windows Registry
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Free Sony PS3.url
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Gambling Board.url
Adware:Adware/ImGiant No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Kill All Spyware.url
Adware:Adware/BigTrafficNet No disinfected Windows Registry
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Free Sony PS3.url
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Free Xbox 360.url
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Gambling Board.url
Adware:Adware/ImGiant No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Kill All Spyware.url
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\1111\1111.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Technology\Tech & gadgets.lnk
Adware:Adware/WUpd No disinfected C:\hjt\backups\backup-20050628-212442-181.dll
Spyware:Spyware/ISTbar No disinfected C:\hjt\backups\backup-20050628-212443-330.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\acfkkedy.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\megp6juq.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\qzqbmx.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\0120o83v.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\eykkiup.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ide21201.vxd
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\klaapm.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\qbn7at32.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\qguuk.dat
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\rgkks.dll

MicroBell · 06-30-2005, 12:53 AM

Reboot into safe mode. Run hijackthis and fix the following..

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run

**Note** This filename may have changed names. If so...add the one found in that entry.

Now run KILLBOX using the same instructions as before for these files..

C:\WINDOWS\System32\klaapm.exe
C:\WINDOWS\acfkkedy.exe
C:\WINDOWS\megp6juq.exe
C:\WINDOWS\qzqbmx.exe
C:\WINDOWS\system32\0120o83v.dll
C:\WINDOWS\system32\eykkiup.dll
C:\WINDOWS\system32\ide21201.vxd
C:\WINDOWS\system32\klaapm.exe
C:\WINDOWS\system32\qbn7at32.exe
C:\WINDOWS\system32\qguuk.dat
C:\WINDOWS\system32\rgkks.dll
C:\WINDOWS\System32\eykkiup.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe
C:\WINDOWS\System32\ide21201.vxd
C:\Documents and Settings\Veronica Rowan\Desktop\Gambling Board.url
C:\Documents and Settings\Veronica Rowan\Desktop\Kill All Spyware.url
C:\Documents and Settings\Veronica Rowan\Desktop\Free Sony PS3.url
C:\Documents and Settings\Veronica Rowan\Desktop\Free Xbox 360.url

Once you reboot....delete the following folders in bold...

C:\Documents and Settings\Veronica Rowan\Start Menu\Programs\AdDestroyer
C:\Documents and Settings\Veronica Rowan\Start Menu\Programs\Power Scan
C:\Documents and Settings\Veronica Rowan\Favorites\1111
C:\Documents and Settings\Veronica Rowan\Favorites\Shop
C:\Documents and Settings\Veronica Rowan\Favorites\Technology
C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games
C:\Documents and Settings\Veronica Rowan\Favorites\Going Places
C:\Documents and Settings\Veronica Rowan\Favorites\Living

Run another Panda scan and save it's log. Post both another activescan log and hijackthis log.

**LiL LT** · 06-30-2005, 11:05 PM

thanks for all your help!

here is the latest logs

HJT:

Logfile of HijackThis v1.99.0
Scan saved at 11:56:11 PM, on 6/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\klaapm.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Panda:

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\eykkiup.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\rgkks.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\klaapm.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\SahImages
Adware:Adware/BookedSpace No disinfected Windows Registry
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe
Adware:Adware/WUpd No disinfected C:\hjt\backups\backup-20050628-212442-181.dll
Spyware:Spyware/ISTbar No disinfected C:\hjt\backups\backup-20050628-212443-330.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\acfkkedy.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\megp6juq.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\qzqbmx.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\0120o83v.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\system32\dist001.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\eykkiup.dll
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\klaapm.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\qbn7at32.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\qguuk.dat
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\rgkks.dll
Thanks again!!

sUBs · 06-30-2005, 11:35 PM

Reboot into safe mode. Run hijackthis and fix the following..

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run

Now run KILLBOX using the same instructions as before for these files..

C:\WINDOWS\System32\eykkiup.dll
C:\WINDOWS\System32\rgkks.dll
C:\WINDOWS\System32\klaapm.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe
C:\WINDOWS\System32\SahImages
C:\WINDOWS\acfkkedy.exe
C:\WINDOWS\megp6juq.exe
C:\WINDOWS\qzqbmx.exe
C:\WINDOWS\system32\0120o83v.dll
C:\WINDOWS\system32\dist001.exe
C:\WINDOWS\system32\eykkiup.dll
C:\WINDOWS\system32\qbn7at32.exe
C:\WINDOWS\system32\qguuk.dat

Upon reboot, do another HJT scan. Do another Panda scan if you see this entry re-appearing

O4 - HKLM\..\Run: [KavSvc]

If it's gone, just post the fresh HJT log

**LiL LT** · 07-05-2005, 07:48 PM

Thanks again!! Here is the latest HJT log

Logfile of HijackThis v1.99.0
Scan saved at 9:43:41 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I have one more question...what is this file - C:\WINDOWS\System32\wuauclt.exe..?

Ronni

sUBs · 07-05-2005, 08:41 PM

Ronni,

C:\WINDOWS\System32\wuauclt.exe is the windows update file.

So tell me .... How does it feel to be clean again?

Well done

Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start > Settings > Control Panel > System > Automatic Updates
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

**LiL LT** · 07-06-2005, 06:51 PM

Thanks so much, it feels great!!! You folks are super, you really helped me out. So far the computer is working great, with no problems. I've installed a new virus protection with firewall.

I got the virus while I was looking at pictures of (don't laugh) - hairstyles. I just clicked on one of the hyperlinked pictures and BAM - everything started going crazy! Needless to say, I'll never go back to that website again!!

Thanks again!

P.S. I made a donation to the new server fund. Hope it helps!

06-26-2005, 11:11 AM	#1 (permalink)
LiL LT I helped the forums. Join Date: Jun 2005 Posts: 8 OS: win xp professional	Help! I've read some of these threads and I think I have the Aurora Hi, I've also run (several times) Adadware SE, Spybot S&D, AVG anti virus, and have run RegCleaner, and HiJack this. I've tried to delete the files that a) I've been told by the above programs are problematic, b) look somewhat suspicious. However, many of these files keep reappearing. AVG does try to get rid of them, but they seem to multiply. BTW, I've been running NAV on my laptop since I asked a knowledgeable friend to do a rebuild for me. I've been using its automatic live update and the last one I got was on 6/22/05. NAV didn't seem to detect this virus at all. That is why I downloaded AVG. Since I've run that and Adaware and Spybot a few times, it actually seems better but I'm still getting popups, and AVG detects the same files (nail, DrPmon, svcproc, etc) on boot and or running of IE. I have my last HJT log. Can you give me some advice. Thanks, Ronni

06-27-2005, 01:54 AM	#3 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Ack...you got several nasty ones. We will attack them in steps. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point. STEP 1...................................... Download Process Explorer from http://www.sysinternals.com/Utilitie...sExplorer.html Run Process Explorer and find this Process in the list of Processes. c:\windows\system32\dzkxtr.exe Select the process and click Process > Suspend. Then run hijackthis and in HijackThis click Config > Misc Tools > Delete a file on reboot... In the explorer Window select the file c:\windows\system32\dzkxtr.exe When prompted if you want to reboot click YES IMPORTANT Leave Process explorer running with the process suspended. If you end it..the fix will fail. ONce you reboot proceed below.. Download and install CleanUp! but do not run it yet. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\System32\klaapm.exe C:\WINDOWS\System32\plusvr.exe C:\WINDOWS\System32\psipromn.exe C:\Program Files\Aprps\CxtPls.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsv275.dll O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [mtflnn] c:\windows\system32\dzkxtr.exe r O4 - HKLM\..\Run: [0snS3mX] psipromn.exe O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe O4 - HKCU\..\Run: [HB42Rgb7U] plusvr.exe O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\WINDOWS\System32\klaapm.exe C:\WINDOWS\System32\plusvr.exe C:\WINDOWS\System32\psipromn.exe C:\Program Files\Aprps\CxtPls.exe C:\WINDOWS\cfgmgr52.dll C:\WINDOWS\System32\nsv275.dll C:\WINDOWS\System32\richedtr.dll C:\WINDOWS\System32\klaapm.exe C:\WINDOWS\System32\richup.exe C:\Program Files\Cas\Client\casmf.dll Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Scan local drives for temporary files Cleanup! All Users Click OK Press the CleanUp!* button to start the program. Reboot/logoff when prompted. Once done...reboot back to normal windows... STEP 2............................................... Download, install, and update Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido Please download nailfix at http://www.noidea.us/easyfile/file.p...50515010747824 Unzip it to the desktop but do NOT run it yet. Download Rkfiles.zip http://skads.org/special/rkfiles.zip UNZIP the contents to a permanent folder on your desktop. Download the following attachment remv3.zip http://forums.skads.org/index.php?showtopic=80 Make a folder on the root drive C:\ and unzip the files into it. STEP 3............................................................ Reboot into safe mode!! Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Next... []Run Ewido.[]Click on scanner[]Make sure the following boxes are checked before scanning: Binder Crypter Archives* []Click on Start Scan[]Let the program scan the machine[/list]While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report[list][]Click Save report[]Save the report to your desktop[]Exit Ewido Double click rkfiles.bat* It will scan for a while, so please be patient. Wait till the dos window closes. Open the C:\log.txt it created and rename it log1.txt. Now Open the folder were you saved remv3.zip files and click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt Note Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tool before running the other as it will overwrite the file if you don’t. Reboot back to normal mode and post the following logs... Remv3 (log.txt) log Rkfiles (log1.txt) log Hijackthis log Ewido scan log __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

06-27-2005, 02:20 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,475 OS: N/A	sorry - posted in the wrong thread __________________ Question - what have you done for the community today? Last edited by sUBs; 06-27-2005 at 02:21 AM.

06-28-2005, 12:05 AM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,475 OS: N/A	No..You are not screwed...yet The reason why you weren't to find it with Process Explorer is because it has changed it's identity. In your current log, it's known as c:\windows\system32\hhwqqi.exe Let's take another crack at it... ~~~~~~~~~~~~~~~ We require some additional files/programs for this fix. Please download the following files :- Do not run any of the files unless instructed to do so Download & RUN FxIstbar.exe Disconnect your computer from the Internet when you have finished downloading. ~~~~~~~~~~~~~~~ Uninstall the following programs using Control Panel>Add/Remove Programs : CtxPls Media Access YourSite SurfAccuracy ~~~~~~~~~~~~~~~ Run a scan with HiJackThis & locate an O4 entry that looks similar to this... O4 - HKLM\..\Run: [puvusj] c:\windows\system32\hhwqqi.exe r The name might be different but it resides in the system32 folder & has the alphabet *"r"* at the end. Close HiJackThis after you have identified this file. This is the file we need to use Process Explorer with. Run Process Explorer and find name & location of the file you've just identified in the list of Processes. Select the process and click Process > Suspend. Leave Process Explorer running with the process suspended. ~~~~~~~~~~~~~~~ Using KillBox Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. name & location of the file you've just identified C:\WINDOWS\System32\psipromn.exe C:\Program Files\SurfAccuracy\SAcc.exe C:\WINDOWS\System32\u5cg6g0o.exe C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\Media Access\MediaAccess.exe C:\WINDOWS\System32\plusvr.exe c:\windows\system32\hhwqqi.exe C:\Program Files\Aprps\CxtPls.exe C:\WINDOWS\cfgmgr52.dll C:\Program Files\Aprps\cxtpls.dll C:\WINDOWS\System32\nsv275.dll C:\WINDOWS\System32\richedtr.dll C:\Program Files\YourSiteBar\ysb.dll C:\WINDOWS\System32\klaapm.exe reg_run C:\WINDOWS\System32\richup.exe C:\Program Files\Power Scan\powerscan.exe C:\Program Files\Cas\Client\casmf.dll Start KillBox. Go to the File menu, and choose "Paste from Clipboard". Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there. Select/tick the following: "Delete on Reboot" "End Explorer Shell While Killing File" "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click *"Yes"* at the 'Delete on Reboot' prompt. Click *"Yes"* at the Pending Operations prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ~~~~~~~~~~~~~~~ Reboot to Safe Mode Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. ~~~~~~~~~~~~~~~ Run a scan with HiJackThis & select(tick) the following & click *"Fix checked"* : O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsv275.dll O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [0snS3mX] psipromn.exe O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM\..\Run: [u5cg6g0o] C:\WINDOWS\System32\u5cg6g0o.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [puvusj] c:\windows\system32\hhwqqi.exe r O4 - HKCU\..\Run: [HB42Rgb7U] plusvr.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxy.mht!http://elitegate.de/script/lc.chm::/Bridge-c139.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nosuxxx.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll ~~~~~~~~~~~~~~~ Locate and delete the following folder(s), if present: C:\Program Files\Aprps\ C:\Program Files\Cas\ C:\Program Files\SurfAccuracy\ C:\Program Files\Media Access\ C:\Program Files\YourSiteBar\ C:\Program Files\Power Scan\ ~~~~~~~~~~~~~~~ Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click *"Options..."* Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click *"OK"* Press the *"CleanUp!"* button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders Double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt. Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt Note Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t. Post the contents of both the log.txt and log1.txt in your next post ~~~~~~~~~~~~~~~ Reboot to Normal Mode. Do an online scan at one of the following sites: Panda BitDefender Trend Micro Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Reboot Again & Run a new scan with HiJackThis. Save the log file and run KRC HiJackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply. In your next post, please include: Copy of KRC HiJackThis Analyzer log List of files that online scans failed to disinfect Remv3 & rkfiles logs Please provide details of any problems you encountered whilst performing the above steps. __________________ Question - what have you done for the community today?

06-30-2005, 12:53 AM	#9 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Reboot into safe mode. Run hijackthis and fix the following.. O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run Note This filename may have changed names. If so...add the one found in that entry. Now run KILLBOX using the same instructions as before for these files.. C:\WINDOWS\System32\klaapm.exe C:\WINDOWS\acfkkedy.exe C:\WINDOWS\megp6juq.exe C:\WINDOWS\qzqbmx.exe C:\WINDOWS\system32\0120o83v.dll C:\WINDOWS\system32\eykkiup.dll C:\WINDOWS\system32\ide21201.vxd C:\WINDOWS\system32\klaapm.exe C:\WINDOWS\system32\qbn7at32.exe C:\WINDOWS\system32\qguuk.dat C:\WINDOWS\system32\rgkks.dll C:\WINDOWS\System32\eykkiup.dll C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe C:\WINDOWS\System32\ide21201.vxd C:\Documents and Settings\Veronica Rowan\Desktop\Gambling Board.url C:\Documents and Settings\Veronica Rowan\Desktop\Kill All Spyware.url C:\Documents and Settings\Veronica Rowan\Desktop\Free Sony PS3.url C:\Documents and Settings\Veronica Rowan\Desktop\Free Xbox 360.url Once you reboot....delete the following folders in bold... C:\Documents and Settings\Veronica Rowan\Start Menu\Programs\AdDestroyer C:\Documents and Settings\Veronica Rowan\Start Menu\Programs\Power Scan C:\Documents and Settings\Veronica Rowan\Favorites\1111 C:\Documents and Settings\Veronica Rowan\Favorites\Shop C:\Documents and Settings\Veronica Rowan\Favorites\Technology C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games C:\Documents and Settings\Veronica Rowan\Favorites\Going Places C:\Documents and Settings\Veronica Rowan\Favorites\Living Run another Panda scan and save it's log. Post both another activescan log and hijackthis log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

06-26-2005, 12:16 PM	#2 (permalink)
LiL LT I helped the forums. Join Date: Jun 2005 Posts: 8 OS: win xp professional	It occurred you may need this! Logfile of HijackThis v1.99.0 Scan saved at 12:42:59 PM, on 6/26/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\essspk.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\klaapm.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe c:\windows\system32\dzkxtr.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\plusvr.exe C:\WINDOWS\System32\psipromn.exe C:\Program Files\Aprps\CxtPls.exe C:\hjt\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/ O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsv275.dll O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [mtflnn] c:\windows\system32\dzkxtr.exe r O4 - HKLM\..\Run: [0snS3mX] psipromn.exe O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe O4 - HKCU\..\Run: [HB42Rgb7U] plusvr.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

06-27-2005, 08:46 PM	#5 (permalink)
LiL LT I helped the forums. Join Date: Jun 2005 Posts: 8 OS: win xp professional	Hey Microbell, Thanks for getting back to me. I have a problem though, I got to this step: Run Process Explorer and find this Process in the list of Processes. c:\windows\system32\dzkxtr.exe and I couldn't find this file in the process. In fact I couldn't tell if any of the files were system 32 - maybe I need to configure Process Explorer a certain way? Anyway - I discovered that if I connect to the Internet this thing just keeps on exploding. Here is my latest HJT log which I ran after downloading Process Explorer and trying to run it, shutting down and restarting w/o my internet connection. Logfile of HijackThis v1.99.0 Scan saved at 9:24:07 PM, on 6/27/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\essspk.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\klaapm.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\psipromn.exe C:\Program Files\SurfAccuracy\SAcc.exe C:\WINDOWS\System32\u5cg6g0o.exe C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\Media Access\MediaAccess.exe C:\WINDOWS\System32\plusvr.exe c:\windows\system32\hhwqqi.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Aprps\CxtPls.exe C:\hjt\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/ O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsv275.dll O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [0snS3mX] psipromn.exe O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM\..\Run: [u5cg6g0o] C:\WINDOWS\System32\u5cg6g0o.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [puvusj] c:\windows\system32\hhwqqi.exe r O4 - HKCU\..\Run: [HB42Rgb7U] plusvr.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosuxxy.mht!http://elitegate.de/script/lc.chm::/Bridge-c139.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nosuxxx.mht!http://elitegate.de/script/ysb.chm::/ysb_regular.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe --- the file you originally thought I should suspend doesn't seem to be there anymore. So tell me the truth...am I totally screwed? Thanks!

06-27-2005, 08:50 PM	#6 (permalink)
LiL LT I helped the forums. Join Date: Jun 2005 Posts: 8 OS: win xp professional	Just in case you were wondering, I'm not on my computer now. Won't dare plug the connection back in!!

06-29-2005, 07:56 PM	#8 (permalink)
LiL LT I helped the forums. Join Date: Jun 2005 Posts: 8 OS: win xp professional	Thank you! Did almost everything to your specifications, except I forgot to uncheck scan local drives when I ran CleanUp. It seems to be running much better. I still get some pop-ups, but nothing like before! What is my next steip? Here are the latest log files: Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 9:30:46 PM, on 6/29/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\klaapm.exe C:\PROGRA~1\Grisoft\AVG7\avgw.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/ O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab End of KRC HijackThis Analyzer Log. ==================================================================== Rem3 logs: Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is ACE5-E102 Directory of C:\WINDOWS\system32 msi.dll Finished The batch is run from -- C:\Downtemp ========================================= rkfiles: C:\Downtemp ============ Files Panda would not delete: (I hope this listing isn't too obnoxious) Incident Status Location Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\eykkiup.dll Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\klaapm.exe Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe Spyware:Spyware/Dyfuca No disinfected Windows Registry Adware:Adware/PowerScan No disinfected C:\Documents and Settings\Veronica Rowan\Start Menu\Programs\Power Scan Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\SahImages Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Betting.lnk Adware:Adware/BookedSpace No disinfected Windows Registry Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\Veronica Rowan\Start Menu\Programs\AdDestroyer Adware:Adware/WUpd No disinfected C:\WINDOWS\System32\ide21201.vxd Adware:Adware/EliteBar No disinfected Windows Registry Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Free Sony PS3.url Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Gambling Board.url Adware:Adware/ImGiant No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Kill All Spyware.url Adware:Adware/BigTrafficNet No disinfected Windows Registry Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Free Sony PS3.url Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Free Xbox 360.url Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Gambling Board.url Adware:Adware/ImGiant No disinfected C:\Documents and Settings\Veronica Rowan\Desktop\Kill All Spyware.url Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\1111\1111.url Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Betting.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Casino Palace.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Casino.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Games.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Fun & Games\Horoscope.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Air Tickets.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Car Rentals.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Hotel Deals.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Luggage.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Going Places\Travel.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Dating.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Find a Degree.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Find a job.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Home.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Living\Insurance.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Auctions.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Books.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Computers.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Discount.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Flowers.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Golf.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Jewelry.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Movies.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Music.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Online Store.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Perfume.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Shop\Sleepwear.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Technology\Adware Remover.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Technology\Anti-Virus.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Technology\PC Cleaner.lnk Adware:Adware/CWS No disinfected C:\Documents and Settings\Veronica Rowan\Favorites\Technology\Tech & gadgets.lnk Adware:Adware/WUpd No disinfected C:\hjt\backups\backup-20050628-212442-181.dll Spyware:Spyware/ISTbar No disinfected C:\hjt\backups\backup-20050628-212443-330.dll Adware:Adware/BookedSpace No disinfected C:\WINDOWS\acfkkedy.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\megp6juq.exe Adware:Adware/Transponder No disinfected C:\WINDOWS\qzqbmx.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\0120o83v.dll Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\eykkiup.dll Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ide21201.vxd Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\klaapm.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\qbn7at32.exe Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\qguuk.dat Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\rgkks.dll

06-30-2005, 11:05 PM	#10 (permalink)
LiL LT I helped the forums. Join Date: Jun 2005 Posts: 8 OS: win xp professional	thanks for all your help! here is the latest logs HJT: Logfile of HijackThis v1.99.0 Scan saved at 11:56:11 PM, on 6/30/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\essspk.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\klaapm.exe C:\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/ O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Panda: Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\eykkiup.dll Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\rgkks.dll Adware:Adware/AdBehavior No disinfected C:\WINDOWS\System32\klaapm.exe Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe Spyware:Spyware/Dyfuca No disinfected Windows Registry Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\SahImages Adware:Adware/BookedSpace No disinfected Windows Registry Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe Adware:Adware/WUpd No disinfected C:\hjt\backups\backup-20050628-212442-181.dll Spyware:Spyware/ISTbar No disinfected C:\hjt\backups\backup-20050628-212443-330.dll Adware:Adware/BookedSpace No disinfected C:\WINDOWS\acfkkedy.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\megp6juq.exe Adware:Adware/Transponder No disinfected C:\WINDOWS\qzqbmx.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\0120o83v.dll Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\system32\dist001.exe Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\eykkiup.dll Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\klaapm.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\qbn7at32.exe Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\qguuk.dat Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\rgkks.dll Thanks again!!

06-30-2005, 11:35 PM	#11 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,475 OS: N/A	Reboot into safe mode. Run hijackthis and fix the following.. O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\klaapm.exe reg_run Now run KILLBOX using the same instructions as before for these files.. C:\WINDOWS\System32\eykkiup.dll C:\WINDOWS\System32\rgkks.dll C:\WINDOWS\System32\klaapm.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\duaa.exe C:\WINDOWS\System32\SahImages C:\WINDOWS\acfkkedy.exe C:\WINDOWS\megp6juq.exe C:\WINDOWS\qzqbmx.exe C:\WINDOWS\system32\0120o83v.dll C:\WINDOWS\system32\dist001.exe C:\WINDOWS\system32\eykkiup.dll C:\WINDOWS\system32\qbn7at32.exe C:\WINDOWS\system32\qguuk.dat Upon reboot, do another HJT scan. Do another Panda scan if you see this entry re-appearing O4 - HKLM\..\Run: [KavSvc] If it's gone, just post the fresh HJT log __________________ Question - what have you done for the community today?

07-05-2005, 07:48 PM	#12 (permalink)
LiL LT I helped the forums. Join Date: Jun 2005 Posts: 8 OS: win xp professional	Thanks again!! Here is the latest HJT log Logfile of HijackThis v1.99.0 Scan saved at 9:43:41 PM, on 7/5/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\essspk.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\wuauclt.exe C:\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sacbee.com/ O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe I have one more question...what is this file - C:\WINDOWS\System32\wuauclt.exe..? Ronni

07-05-2005, 08:41 PM	#13 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,475 OS: N/A	Ronni, C:\WINDOWS\System32\wuauclt.exe is the windows update file. So tell me .... How does it feel to be clean again? Well done Do you have any more problems with your computer? If not, you should be set to go. However, there still remains a few bits of housekeeping ... Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start > Settings > Control Panel > System > Automatic Updates tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated. In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

07-06-2005, 06:51 PM	#14 (permalink)
LiL LT I helped the forums. Join Date: Jun 2005 Posts: 8 OS: win xp professional	Thanks so much, it feels great!!! You folks are super, you really helped me out. So far the computer is working great, with no problems. I've installed a new virus protection with firewall. I got the virus while I was looking at pictures of (don't laugh) - hairstyles. I just clicked on one of the hyperlinked pictures and BAM - everything started going crazy! Needless to say, I'll never go back to that website again!! Thanks again! P.S. I made a donation to the new server fund. Hope it helps!