HJT Log for Abcsearch4u

Spoonie · 08-22-2005, 02:01 AM

Have downloaded all the programs mentioned in the following thread. Will proceed after your review. Thanks
http://www.techsupportforum.com/comp...c/55123-1.html

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:32:24 AM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\inet20081\services.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system\winlgon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\winsocks5.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\windows\ckbbphc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\ServicePackFiles\i386\IExplore.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\mm1.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: run=C:\WINDOWS\inet20081\services.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [.service] C:\WINDOWS\system\winlgon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [jxeobpum] C:\WINDOWS\System32\jxeobpum.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\winsocks5.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [mroceul] c:\windows\ckbbphc.exe
O4 - HKCU\..\Run: [jxeobpum] C:\WINDOWS\System32\jxeobpum.exe
O4 - HKCU\..\Run: [jlsbttw] c:\windows\ckbbphc.exe
O4 - HKCU\..\Run: [mywsppr] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [eysikgj] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [wfrqolu] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [kkxbeao] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [sswfxiq] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [ivjbpox] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [ybmcflj] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [csgxbut] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [pbpduyy] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [vgiprip] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [gviaugi] c:\windows\tpuebwr.exe
O4 - HKCU\..\Run: [ehhysxu] c:\windows\tpuebwr.exe
O4 - HKCU\..\Run: [wrneiht] c:\windows\pulqfcf.exe
O4 - HKCU\..\Run: [goqbiqs] c:\windows\pulqfcf.exe
O4 - HKCU\..\Run: [tcpvbdj] c:\windows\pulqfcf.exe
O4 - HKCU\..\Run: [uawfqyb] c:\windows\pulqfcf.exe
O4 - HKCU\..\Run: [cqgvavr] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [nnfftsu] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [oacauqr] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [utnbmvh] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [xcuntqm] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [lindfii] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [halqcju] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [bfodrkf] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [lfbdobv] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [mgvqqlf] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [tsginnb] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [bcoqtyp] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [qalxslp] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [mynbaqb] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [conkdcm] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [gjlsscs] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [socsayx] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [nguyxhr] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [vdidyhn] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [wofvnfj] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [ohjnykb] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [iyejvsx] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [pilcpsn] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [tavoevu] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [bbechth] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [qlxcvlm] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [bsrfnrb] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [ibidkwu] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [rhnvhcc] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [uoiltka] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [tqnfnep] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [iemedpj] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [xlvglyv] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [cbpetdb] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [mgeigfr] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [dhyoryx] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [kmjghck] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [mudcwfa] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [oupsxwh] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [njsivxm] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [plspbqq] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [rxlhdxq] c:\windows\hjaxsbi.exe
O4 - HKCU\..\Run: [jyoloii] c:\windows\hjaxsbi.exe
O4 - HKCU\..\Run: [ngcsdgs] c:\windows\rumxygq.exe
O4 - HKCU\..\Run: [vvpspak] c:\windows\rumxygq.exe
O4 - HKCU\..\Run: [jddelcp] c:\windows\rsfofrr.exe
O4 - HKCU\..\Run: [kunppfw] c:\windows\jtbbphw.exe
O4 - HKCU\..\Run: [vpcnsen] c:\windows\cctvvxs.exe
O4 - HKCU\..\Run: [fogpowx] c:\windows\frdrlrw.exe
O4 - HKCU\..\Run: [bmdwtrl] c:\windows\kthtjmy.exe
O4 - HKCU\..\Run: [wgcpfaw] c:\windows\kthtjmy.exe
O4 - HKCU\..\Run: [xcuesgb] c:\windows\smcclrh.exe
O4 - HKCU\..\Run: [rmcjiid] c:\windows\smcclrh.exe
O4 - HKCU\..\Run: [vyeoexn] c:\windows\jqptcvc.exe
O4 - HKCU\..\Run: [aqkpcxd] c:\windows\wxcxmeo.exe
O4 - HKCU\..\Run: [ychrvmi] c:\windows\jqptcvc.exe
O4 - HKCU\..\Run: [eqeghbv] c:\windows\wxcxmeo.exe
O4 - HKCU\..\Run: [affijos] c:\windows\cotgdqx.exe
O4 - HKCU\..\Run: [lniltrg] c:\windows\cotgdqx.exe
O4 - HKCU\..\Run: [flqiyte] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [sssqsot] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [wscrpvw] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [qxqgpkq] c:\windows\crvhvod.exe
O4 - HKCU\..\Run: [meuemcx] c:\windows\ryjodny.exe
O4 - HKCU\..\Run: [prhsihs] c:\windows\ryjodny.exe
O4 - HKCU\..\Run: [ydmhyuo] c:\windows\heshvsh.exe
O4 - HKCU\..\Run: [noaapiw] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [kqdcmrv] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [bllwney] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [xdfkqwf] c:\windows\iusuknl.exe
O4 - HKCU\..\Run: [jkdpmwe] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [vnlohmb] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [ahusrth] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [ufslyur] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [jfprcsj] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [hkagimf] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [tiyjowl] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [pfkqdpm] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [jekqtxx] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [lbsngkk] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [bxvvgae] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [vcydumn] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [cprdfws] c:\windows\tuhdsjx.exe
O4 - HKCU\..\Run: [qjtwblu] c:\windows\ertkloh.exe
O4 - HKCU\..\Run: [adhrbtm] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [uyxtbxi] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [gsutcyh] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [iyxraqv] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [ephvflp] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [erpouxk] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [gsdgbea] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [vhxdtmh] c:\windows\jyquhjm.exe
O4 - HKCU\..\Run: [guyxqga] c:\windows\jyquhjm.exe
O4 - HKCU\..\Run: [yarybsq] c:\windows\cdhipuc.exe
O4 - HKCU\..\Run: [lwrpujk] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ihhqkvh] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [vluywwk] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [bxhmoaq] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [pgwmbyi] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe
O4 - HKCU\..\Run: [ijnquan] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [aynhspq] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ttrgqlb] c:\windows\apgcqaw.exe
O4 - HKCU\..\Run: [vrubjcy] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [kqqfxnk] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [pliomry] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [lepfmln] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [temvoco] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [smydscn] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [vwxfdwv] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [drpjvij] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [sjcmrps] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [irnyxfi] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [jktnsdp] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [kqwdywc] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [fplufjn] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [fbqrdtq] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [ftdsveg] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [trqghky] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [rvbasgf] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [hxdfyll] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [mguttov] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [smxkdwr] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [xiynner] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [aeeycoj] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [gektqbp] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [oiripjt] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [lvxvylk] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [uioutex] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [avyuwrv] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [ojxyyqd] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [wivpivr] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [hflbpns] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [osjkakv] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [nbxvfvf] c:\windows\rjjgmin.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

sUBs · 08-22-2005, 03:27 AM

Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

Checkmark/tick - "Ignore Safe System Info Streams"
Click the "Scan" button
When it has finished scanning, checkmark/tick all that it found
Click the "remove selected" button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp!.exe - Install

KillBox v2.0.0.175

About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder.exe

Open CWShredder and click - I AGREE
Click - Check For Update
Close CWShredder after updating

HSFix.zip

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

smitRem.exe - extract it to it's own folder.

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: run=C:\WINDOWS\inet20081\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [.service] C:\WINDOWS\system\winlgon.exe
O4 - HKLM\..\Run: [jxeobpum] C:\WINDOWS\System32\jxeobpum.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\winsocks5.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [mroceul] c:\windows\ckbbphc.exe
O4 - HKCU\..\Run: [jxeobpum] C:\WINDOWS\System32\jxeobpum.exe
O4 - HKCU\..\Run: [jlsbttw] c:\windows\ckbbphc.exe
O4 - HKCU\..\Run: [mywsppr] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [eysikgj] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [wfrqolu] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [kkxbeao] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [sswfxiq] c:\windows\fyntatb.exe
O4 - HKCU\..\Run: [ivjbpox] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [ybmcflj] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [csgxbut] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [pbpduyy] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [vgiprip] c:\windows\bsebvfx.exe
O4 - HKCU\..\Run: [gviaugi] c:\windows\tpuebwr.exe
O4 - HKCU\..\Run: [ehhysxu] c:\windows\tpuebwr.exe
O4 - HKCU\..\Run: [wrneiht] c:\windows\pulqfcf.exe
O4 - HKCU\..\Run: [goqbiqs] c:\windows\pulqfcf.exe
O4 - HKCU\..\Run: [tcpvbdj] c:\windows\pulqfcf.exe
O4 - HKCU\..\Run: [uawfqyb] c:\windows\pulqfcf.exe
O4 - HKCU\..\Run: [cqgvavr] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [nnfftsu] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [oacauqr] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [utnbmvh] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [xcuntqm] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [lindfii] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [halqcju] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [bfodrkf] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [lfbdobv] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [mgvqqlf] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [tsginnb] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [bcoqtyp] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [qalxslp] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [mynbaqb] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [conkdcm] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [gjlsscs] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [socsayx] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [nguyxhr] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [vdidyhn] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [wofvnfj] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [ohjnykb] c:\windows\nmawyda.exe
O4 - HKCU\..\Run: [iyejvsx] c:\windows\nmawyda.e

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Launch KillBox.exe & select the following options:

delete on Reboot
end Explorer shell while killing file
unregister dlll before deleting * if it's not grayed out

Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy

C:\WINDOWS\system\winlgon.exe
C:\WINDOWS\System32\jxeobpum.exe
C:\WINDOWS\system32\svcnt32.exe
C:\WINDOWS\winsocks5.exe
c:\windows\ckbbphc.exe
C:\WINDOWS\System32\jxeobpum.exe
C:\windows\ehxwpcs.exe
C:\windows\hjaxsbi.exe
C:\windows\rumxygq.exe
C:\windows\rsfofrr.exe
C:\windows\jtbbphw.exe
C:\windows\cctvvxs.exe
C:\windows\frdrlrw.exe
C:\windows\kthtjmy.exe
C:\windows\smcclrh.exe
C:\windows\jqptcvc.exe
C:\windows\wxcxmeo.exe
C:\windows\jqptcvc.exe
C:\windows\wxcxmeo.exe
C:\windows\cotgdqx.exe
C:\windows\kvqfbsp.exe
C:\windows\crvhvod.exe
C:\windows\ryjodny.exe
c:\windows\heshvsh.exe
c:\windows\sfbimkg.exe
c:\windows\iusuknl.exe
c:\windows\xyhdwko.exe
c:\windows\tuhdsjx.exe
c:\windows\ertkloh.exe
c:\windows\dyakflu.exe
c:\windows\jyquhjm.exe
c:\windows\cdhipuc.exe
C:\WINDOWS\inet20081\services.exe
c:\windows\uttfmci.exe
c:\windows\apgcqaw.exe
c:\windows\wtotqmx.exe
c:\windows\gheaqxi.exe
c:\windows\uhpejci.exe
c:\windows\rjjgmin.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Enable - Show hidden files and folder
Disable - Hide file extensions for known types
Disable - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\WINDOWS\inet20081\

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan

Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click [Scan Now]
Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Double-click the tmas-web-scan.exe icon
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

HiJackThis

Online scan

Antispyware.log

About Buster

Ewido

Smitfiles.txt

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Spoonie · 08-23-2005, 03:35 AM

Here's the fresh logs. As you can see, "Abc" is still bothering me. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:36:48 AM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\windows\eixcvha.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [kmjghck] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [mudcwfa] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [oupsxwh] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [njsivxm] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [plspbqq] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [rxlhdxq] c:\windows\hjaxsbi.exe
O4 - HKCU\..\Run: [jyoloii] c:\windows\hjaxsbi.exe
O4 - HKCU\..\Run: [ngcsdgs] c:\windows\rumxygq.exe
O4 - HKCU\..\Run: [vvpspak] c:\windows\rumxygq.exe
O4 - HKCU\..\Run: [jddelcp] c:\windows\rsfofrr.exe
O4 - HKCU\..\Run: [kunppfw] c:\windows\jtbbphw.exe
O4 - HKCU\..\Run: [vpcnsen] c:\windows\cctvvxs.exe
O4 - HKCU\..\Run: [fogpowx] c:\windows\frdrlrw.exe
O4 - HKCU\..\Run: [bmdwtrl] c:\windows\kthtjmy.exe
O4 - HKCU\..\Run: [wgcpfaw] c:\windows\kthtjmy.exe
O4 - HKCU\..\Run: [xcuesgb] c:\windows\smcclrh.exe
O4 - HKCU\..\Run: [rmcjiid] c:\windows\smcclrh.exe
O4 - HKCU\..\Run: [vyeoexn] c:\windows\jqptcvc.exe
O4 - HKCU\..\Run: [aqkpcxd] c:\windows\wxcxmeo.exe
O4 - HKCU\..\Run: [ychrvmi] c:\windows\jqptcvc.exe
O4 - HKCU\..\Run: [eqeghbv] c:\windows\wxcxmeo.exe
O4 - HKCU\..\Run: [affijos] c:\windows\cotgdqx.exe
O4 - HKCU\..\Run: [lniltrg] c:\windows\cotgdqx.exe
O4 - HKCU\..\Run: [flqiyte] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [sssqsot] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [wscrpvw] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [qxqgpkq] c:\windows\crvhvod.exe
O4 - HKCU\..\Run: [meuemcx] c:\windows\ryjodny.exe
O4 - HKCU\..\Run: [prhsihs] c:\windows\ryjodny.exe
O4 - HKCU\..\Run: [ydmhyuo] c:\windows\heshvsh.exe
O4 - HKCU\..\Run: [noaapiw] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [kqdcmrv] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [bllwney] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [xdfkqwf] c:\windows\iusuknl.exe
O4 - HKCU\..\Run: [jkdpmwe] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [vnlohmb] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [ahusrth] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [ufslyur] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [jfprcsj] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [hkagimf] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [tiyjowl] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [pfkqdpm] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [jekqtxx] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [lbsngkk] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [bxvvgae] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [vcydumn] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [cprdfws] c:\windows\tuhdsjx.exe
O4 - HKCU\..\Run: [qjtwblu] c:\windows\ertkloh.exe
O4 - HKCU\..\Run: [adhrbtm] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [uyxtbxi] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [gsutcyh] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [iyxraqv] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [ephvflp] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [erpouxk] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [gsdgbea] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [vhxdtmh] c:\windows\jyquhjm.exe
O4 - HKCU\..\Run: [guyxqga] c:\windows\jyquhjm.exe
O4 - HKCU\..\Run: [yarybsq] c:\windows\cdhipuc.exe
O4 - HKCU\..\Run: [lwrpujk] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ihhqkvh] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [vluywwk] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [bxhmoaq] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [pgwmbyi] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ijnquan] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [aynhspq] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ttrgqlb] c:\windows\apgcqaw.exe
O4 - HKCU\..\Run: [vrubjcy] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [kqqfxnk] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [pliomry] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [lepfmln] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [temvoco] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [smydscn] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [vwxfdwv] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [drpjvij] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [sjcmrps] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [irnyxfi] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [jktnsdp] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [kqwdywc] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [fplufjn] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [fbqrdtq] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [ftdsveg] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [trqghky] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [rvbasgf] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [hxdfyll] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [mguttov] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [smxkdwr] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [xiynner] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [aeeycoj] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [gektqbp] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [oiripjt] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [lvxvylk] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [uioutex] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [avyuwrv] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [ojxyyqd] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [wivpivr] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [hflbpns] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [osjkakv] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [nbxvfvf] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [peswypq] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [cnjnstf] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [idhpwbv] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [nqoevns] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [mbhpecc] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [mmofckl] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [awrvxxg] c:\windows\pwaxvnk.exe
O4 - HKCU\..\Run: [gemnyvx] c:\windows\pwaxvnk.exe
O4 - HKCU\..\Run: [rtqtnhj] c:\windows\wwyojgq.exe
O4 - HKCU\..\Run: [kuxmqbs] c:\windows\vpvanpj.exe
O4 - HKCU\..\Run: [yjchmgf] c:\windows\vpvanpj.exe
O4 - HKCU\..\Run: [trtbvde] c:\windows\vblgmvc.exe
O4 - HKCU\..\Run: [ccnvnck] c:\windows\vblgmvc.exe
O4 - HKCU\..\Run: [maesnfw] c:\windows\ohrlccd.exe
O4 - HKCU\..\Run: [yepqtef] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [ctnoxnt] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [biyttql] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [uflbipx] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [edxkven] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [lpernbx] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [kusntmr] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [ylosaxx] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [vvutonp] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [rfbtlhl] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [csgxfof] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [nqsooqm] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [sgdlquk] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [dbkmgrw] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [yubfgom] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [jigtpua] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nwhyrdw] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [lkvmyvf] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [rcvboew] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [ravokft] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nkkvwcr] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [hfxtxjp] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nkigohe] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [ncilvci] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [jbihyij] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [khxaojc] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [occamjm] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ujheakm] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [hmrlsfh] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [llsajew] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [mwlvxjj] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [biseeyl] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ndgnpfe] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ppasohg] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [wfvwhka] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [civnrsx] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [afomidc] c:\windows\spcvoec.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Panda Online Scan

Incident Status Location

Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\SPCVOEC.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\KRFTGHP.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\RJGPJSA.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\YTQPOLH.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\CCXSKYK.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\OHRLCCD.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\VBLGMVC.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\VPVANPJ.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\WWYOJGQ.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\PWAXVNK.EXE
Adware:Adware/Startpage.WH No disinfected C:\windows\eixcvha.exe
Adware:adware/findspy No disinfected C:\DOCUMENTS AND SETTINGS\YAM\FAVORITES\ FREE Access to 800 Paid sites.url
Adware:adware/topsearch4u No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\bludtba.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\bsebvfx.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\ccxskyk.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\eixcvha.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\fyntatb.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\krftghp.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\neiykrn.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\nmawyda.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\ohrlccd.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\pulqfcf.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\pwaxvnk.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\rjgpjsa.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\spcvoec.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\SYSTEM32\arusxaaa.exe
Adware:Adware/StartPage.AFK No disinfected C:\WINDOWS\SYSTEM32\shdocvn.dll
Possible Virus. No disinfected C:\WINDOWS\temp\ASHeuristic\dllupdate.exe.vir
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\tpuebwr.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\vblgmvc.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\vpvanpj.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\wwyojgq.exe
Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\ytqpolh.exe

Antispyware.Log
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Found ' Free Spy Cam - Realtime.url' in 'C:\Documents and Settings\Yam\Favorites\'
Found ' FREE Access to 800 Paid sites.url' in 'C:\Documents and Settings\Yam\Favorites\'
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning

AB Log
Scanned at: 1:17:49 AM on: 8/23/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 31

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 31

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:18:29 AM, 8/23/2005
+ Report-Checksum: EC8473B8

+ Scan result:

No infected objects found.

::Report End

smitRem log file
version 2.3

by noahdfear

The current date is: Tue 08/23/2005
The current time is: 1:20:17.18

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

sUBs · 08-23-2005, 08:58 AM

I require Ewido's logs before we can proceed to the next stage.

Spoonie · 08-23-2005, 04:18 PM

Quote:

Originally Posted by sUBs

I require Ewido's logs before we can proceed to the next stage.

Subs:
It's the last log in my 2nd post. DId I miss something?

Spoonie · 08-23-2005, 04:50 PM

Quote:

Originally Posted by Spoonie

Subs:
It's the last log in my 2nd post. DId I miss something?

Sorry, it's the 2nd to last log.

I have a feeling you needed the 1st Ewido log after the tools were run from your original instructions, and before the online scans. If so, I messed up by not saving that log. So that means I have to start again?
Thanks

Spoonie · 08-23-2005, 07:45 PM

If I need to start over, here's a current Hjt log

Logfile of HijackThis v1.99.1
Scan saved at 6:42:51 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [kmjghck] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [mudcwfa] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [oupsxwh] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [njsivxm] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [plspbqq] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [rxlhdxq] c:\windows\hjaxsbi.exe
O4 - HKCU\..\Run: [jyoloii] c:\windows\hjaxsbi.exe
O4 - HKCU\..\Run: [ngcsdgs] c:\windows\rumxygq.exe
O4 - HKCU\..\Run: [vvpspak] c:\windows\rumxygq.exe
O4 - HKCU\..\Run: [jddelcp] c:\windows\rsfofrr.exe
O4 - HKCU\..\Run: [kunppfw] c:\windows\jtbbphw.exe
O4 - HKCU\..\Run: [vpcnsen] c:\windows\cctvvxs.exe
O4 - HKCU\..\Run: [fogpowx] c:\windows\frdrlrw.exe
O4 - HKCU\..\Run: [bmdwtrl] c:\windows\kthtjmy.exe
O4 - HKCU\..\Run: [wgcpfaw] c:\windows\kthtjmy.exe
O4 - HKCU\..\Run: [xcuesgb] c:\windows\smcclrh.exe
O4 - HKCU\..\Run: [rmcjiid] c:\windows\smcclrh.exe
O4 - HKCU\..\Run: [vyeoexn] c:\windows\jqptcvc.exe
O4 - HKCU\..\Run: [aqkpcxd] c:\windows\wxcxmeo.exe
O4 - HKCU\..\Run: [ychrvmi] c:\windows\jqptcvc.exe
O4 - HKCU\..\Run: [eqeghbv] c:\windows\wxcxmeo.exe
O4 - HKCU\..\Run: [affijos] c:\windows\cotgdqx.exe
O4 - HKCU\..\Run: [lniltrg] c:\windows\cotgdqx.exe
O4 - HKCU\..\Run: [flqiyte] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [sssqsot] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [wscrpvw] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [qxqgpkq] c:\windows\crvhvod.exe
O4 - HKCU\..\Run: [meuemcx] c:\windows\ryjodny.exe
O4 - HKCU\..\Run: [prhsihs] c:\windows\ryjodny.exe
O4 - HKCU\..\Run: [ydmhyuo] c:\windows\heshvsh.exe
O4 - HKCU\..\Run: [noaapiw] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [kqdcmrv] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [bllwney] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [xdfkqwf] c:\windows\iusuknl.exe
O4 - HKCU\..\Run: [jkdpmwe] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [vnlohmb] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [ahusrth] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [ufslyur] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [jfprcsj] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [hkagimf] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [tiyjowl] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [pfkqdpm] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [jekqtxx] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [lbsngkk] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [bxvvgae] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [vcydumn] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [cprdfws] c:\windows\tuhdsjx.exe
O4 - HKCU\..\Run: [qjtwblu] c:\windows\ertkloh.exe
O4 - HKCU\..\Run: [adhrbtm] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [uyxtbxi] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [gsutcyh] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [iyxraqv] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [ephvflp] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [erpouxk] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [gsdgbea] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [vhxdtmh] c:\windows\jyquhjm.exe
O4 - HKCU\..\Run: [guyxqga] c:\windows\jyquhjm.exe
O4 - HKCU\..\Run: [yarybsq] c:\windows\cdhipuc.exe
O4 - HKCU\..\Run: [lwrpujk] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ihhqkvh] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [vluywwk] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [bxhmoaq] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [pgwmbyi] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ijnquan] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [aynhspq] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ttrgqlb] c:\windows\apgcqaw.exe
O4 - HKCU\..\Run: [vrubjcy] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [kqqfxnk] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [pliomry] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [lepfmln] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [temvoco] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [smydscn] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [vwxfdwv] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [drpjvij] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [sjcmrps] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [irnyxfi] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [jktnsdp] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [kqwdywc] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [fplufjn] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [fbqrdtq] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [ftdsveg] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [trqghky] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [rvbasgf] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [hxdfyll] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [mguttov] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [smxkdwr] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [xiynner] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [aeeycoj] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [gektqbp] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [oiripjt] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [lvxvylk] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [uioutex] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [avyuwrv] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [ojxyyqd] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [wivpivr] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [hflbpns] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [osjkakv] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [nbxvfvf] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [peswypq] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [cnjnstf] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [idhpwbv] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [nqoevns] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [mbhpecc] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [mmofckl] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [awrvxxg] c:\windows\pwaxvnk.exe
O4 - HKCU\..\Run: [gemnyvx] c:\windows\pwaxvnk.exe
O4 - HKCU\..\Run: [rtqtnhj] c:\windows\wwyojgq.exe
O4 - HKCU\..\Run: [kuxmqbs] c:\windows\vpvanpj.exe
O4 - HKCU\..\Run: [yjchmgf] c:\windows\vpvanpj.exe
O4 - HKCU\..\Run: [trtbvde] c:\windows\vblgmvc.exe
O4 - HKCU\..\Run: [ccnvnck] c:\windows\vblgmvc.exe
O4 - HKCU\..\Run: [maesnfw] c:\windows\ohrlccd.exe
O4 - HKCU\..\Run: [yepqtef] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [ctnoxnt] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [biyttql] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [uflbipx] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [edxkven] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [lpernbx] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [kusntmr] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [ylosaxx] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [vvutonp] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [rfbtlhl] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [csgxfof] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [nqsooqm] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [sgdlquk] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [dbkmgrw] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [yubfgom] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [jigtpua] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nwhyrdw] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [lkvmyvf] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [rcvboew] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [ravokft] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nkkvwcr] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [hfxtxjp] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nkigohe] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [ncilvci] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [jbihyij] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [khxaojc] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [occamjm] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ujheakm] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [hmrlsfh] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [llsajew] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [mwlvxjj] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [biseeyl] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ndgnpfe] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ppasohg] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [wfvwhka] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [civnrsx] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [afomidc] c:\windows\spcvoec.exe
O4 - HKCU\..\Run: [qdujhin] c:\windows\spcvoec.exe
O4 - HKCU\..\Run: [fbdoysk] c:\windows\spcvoec.exe
O4 - HKCU\..\Run: [xrfdhas] c:\windows\spcvoec.exe
O4 - HKCU\..\Run: [fadvvoq] c:\windows\shhpmek.exe
O4 - HKCU\..\Run: [uxhlunp] c:\windows\shhpmek.exe
O4 - HKCU\..\Run: [uttdhec] c:\windows\shhpmek.exe
O4 - HKCU\..\Run: [vjllykv] c:\windows\fswsasv.exe
O4 - HKCU\..\Run: [qjexqlw] c:\windows\fswsasv.exe
O4 - HKCU\..\Run: [ryhsumv] c:\windows\fswsasv.exe
O4 - HKCU\..\Run: [ohldvrn] c:\windows\ncvqatb.exe
O4 - HKCU\..\Run: [joithjb] c:\windows\nvbiucj.exe
O4 - HKCU\..\Run: [rinlrfk] c:\windows\nvbiucj.exe
O4 - HKCU\..\Run: [shwhgqn] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [gosjhrj] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [xebhwai] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [wpsyhff] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [hutytid] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [jhcbsdp] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [qhbtxbb] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [xfitjml] c:\windows\tlhdrcm.exe
O4 - HKCU\..\Run: [cwyljkq] c:\windows\ddrxspq.exe
O4 - HKCU\..\Run: [urhvhkv] c:\windows\ddrxspq.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

sUBs · 08-23-2005, 11:32 PM

Sorry about that. I must be suffering premature blindness

I did try looking for it but couldnt see it till now

No need to re-do the test.

Have Hijackthis fix these entries:(make sure your browser is closed before clicking Fix check)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
O4 - HKCU\..\Run: [kmjghck] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [mudcwfa] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [oupsxwh] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [njsivxm] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [plspbqq] c:\windows\ehxwpcs.exe
O4 - HKCU\..\Run: [rxlhdxq] c:\windows\hjaxsbi.exe
O4 - HKCU\..\Run: [jyoloii] c:\windows\hjaxsbi.exe
O4 - HKCU\..\Run: [ngcsdgs] c:\windows\rumxygq.exe
O4 - HKCU\..\Run: [vvpspak] c:\windows\rumxygq.exe
O4 - HKCU\..\Run: [jddelcp] c:\windows\rsfofrr.exe
O4 - HKCU\..\Run: [kunppfw] c:\windows\jtbbphw.exe
O4 - HKCU\..\Run: [vpcnsen] c:\windows\cctvvxs.exe
O4 - HKCU\..\Run: [fogpowx] c:\windows\frdrlrw.exe
O4 - HKCU\..\Run: [bmdwtrl] c:\windows\kthtjmy.exe
O4 - HKCU\..\Run: [wgcpfaw] c:\windows\kthtjmy.exe
O4 - HKCU\..\Run: [xcuesgb] c:\windows\smcclrh.exe
O4 - HKCU\..\Run: [rmcjiid] c:\windows\smcclrh.exe
O4 - HKCU\..\Run: [vyeoexn] c:\windows\jqptcvc.exe
O4 - HKCU\..\Run: [aqkpcxd] c:\windows\wxcxmeo.exe
O4 - HKCU\..\Run: [ychrvmi] c:\windows\jqptcvc.exe
O4 - HKCU\..\Run: [eqeghbv] c:\windows\wxcxmeo.exe
O4 - HKCU\..\Run: [affijos] c:\windows\cotgdqx.exe
O4 - HKCU\..\Run: [lniltrg] c:\windows\cotgdqx.exe
O4 - HKCU\..\Run: [flqiyte] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [sssqsot] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [wscrpvw] c:\windows\kvqfbsp.exe
O4 - HKCU\..\Run: [qxqgpkq] c:\windows\crvhvod.exe
O4 - HKCU\..\Run: [meuemcx] c:\windows\ryjodny.exe
O4 - HKCU\..\Run: [prhsihs] c:\windows\ryjodny.exe
O4 - HKCU\..\Run: [ydmhyuo] c:\windows\heshvsh.exe
O4 - HKCU\..\Run: [noaapiw] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [kqdcmrv] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [bllwney] c:\windows\sfbimkg.exe
O4 - HKCU\..\Run: [xdfkqwf] c:\windows\iusuknl.exe
O4 - HKCU\..\Run: [jkdpmwe] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [vnlohmb] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [ahusrth] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [ufslyur] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [jfprcsj] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [hkagimf] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [tiyjowl] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [pfkqdpm] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [jekqtxx] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [lbsngkk] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [bxvvgae] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [vcydumn] c:\windows\xyhdwko.exe
O4 - HKCU\..\Run: [cprdfws] c:\windows\tuhdsjx.exe
O4 - HKCU\..\Run: [qjtwblu] c:\windows\ertkloh.exe
O4 - HKCU\..\Run: [adhrbtm] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [uyxtbxi] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [gsutcyh] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [iyxraqv] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [ephvflp] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [erpouxk] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [gsdgbea] c:\windows\dyakflu.exe
O4 - HKCU\..\Run: [vhxdtmh] c:\windows\jyquhjm.exe
O4 - HKCU\..\Run: [guyxqga] c:\windows\jyquhjm.exe
O4 - HKCU\..\Run: [yarybsq] c:\windows\cdhipuc.exe
O4 - HKCU\..\Run: [lwrpujk] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ihhqkvh] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [vluywwk] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [bxhmoaq] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [pgwmbyi] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ijnquan] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [aynhspq] c:\windows\uttfmci.exe
O4 - HKCU\..\Run: [ttrgqlb] c:\windows\apgcqaw.exe
O4 - HKCU\..\Run: [vrubjcy] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [kqqfxnk] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [pliomry] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [lepfmln] c:\windows\wtotqmx.exe
O4 - HKCU\..\Run: [temvoco] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [smydscn] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [vwxfdwv] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [drpjvij] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [sjcmrps] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [irnyxfi] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [jktnsdp] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [kqwdywc] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [fplufjn] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [fbqrdtq] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [ftdsveg] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [trqghky] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [rvbasgf] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [hxdfyll] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [mguttov] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [smxkdwr] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [xiynner] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [aeeycoj] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [gektqbp] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [oiripjt] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [lvxvylk] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [uioutex] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [avyuwrv] c:\windows\gheaqxi.exe
O4 - HKCU\..\Run: [ojxyyqd] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [wivpivr] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [hflbpns] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [osjkakv] c:\windows\uhpejci.exe
O4 - HKCU\..\Run: [nbxvfvf] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [peswypq] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [cnjnstf] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [idhpwbv] c:\windows\rjjgmin.exe
O4 - HKCU\..\Run: [nqoevns] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [mbhpecc] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [mmofckl] c:\windows\eixcvha.exe
O4 - HKCU\..\Run: [awrvxxg] c:\windows\pwaxvnk.exe
O4 - HKCU\..\Run: [gemnyvx] c:\windows\pwaxvnk.exe
O4 - HKCU\..\Run: [rtqtnhj] c:\windows\wwyojgq.exe
O4 - HKCU\..\Run: [kuxmqbs] c:\windows\vpvanpj.exe
O4 - HKCU\..\Run: [yjchmgf] c:\windows\vpvanpj.exe
O4 - HKCU\..\Run: [trtbvde] c:\windows\vblgmvc.exe
O4 - HKCU\..\Run: [ccnvnck] c:\windows\vblgmvc.exe
O4 - HKCU\..\Run: [maesnfw] c:\windows\ohrlccd.exe
O4 - HKCU\..\Run: [yepqtef] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [ctnoxnt] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [biyttql] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [uflbipx] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [edxkven] c:\windows\ccxskyk.exe
O4 - HKCU\..\Run: [lpernbx] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [kusntmr] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [ylosaxx] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [vvutonp] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [rfbtlhl] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [csgxfof] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [nqsooqm] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [sgdlquk] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [dbkmgrw] c:\windows\ytqpolh.exe
O4 - HKCU\..\Run: [yubfgom] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [jigtpua] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nwhyrdw] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [lkvmyvf] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [rcvboew] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [ravokft] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nkkvwcr] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [hfxtxjp] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [nkigohe] c:\windows\rjgpjsa.exe
O4 - HKCU\..\Run: [ncilvci] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [jbihyij] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [khxaojc] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [occamjm] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ujheakm] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [hmrlsfh] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [llsajew] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [mwlvxjj] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [biseeyl] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ndgnpfe] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [ppasohg] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [wfvwhka] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [civnrsx] c:\windows\krftghp.exe
O4 - HKCU\..\Run: [afomidc] c:\windows\spcvoec.exe
O4 - HKCU\..\Run: [qdujhin] c:\windows\spcvoec.exe
O4 - HKCU\..\Run: [fbdoysk] c:\windows\spcvoec.exe
O4 - HKCU\..\Run: [xrfdhas] c:\windows\spcvoec.exe
O4 - HKCU\..\Run: [fadvvoq] c:\windows\shhpmek.exe
O4 - HKCU\..\Run: [uxhlunp] c:\windows\shhpmek.exe
O4 - HKCU\..\Run: [uttdhec] c:\windows\shhpmek.exe
O4 - HKCU\..\Run: [vjllykv] c:\windows\fswsasv.exe
O4 - HKCU\..\Run: [qjexqlw] c:\windows\fswsasv.exe
O4 - HKCU\..\Run: [ryhsumv] c:\windows\fswsasv.exe
O4 - HKCU\..\Run: [ohldvrn] c:\windows\ncvqatb.exe
O4 - HKCU\..\Run: [joithjb] c:\windows\nvbiucj.exe
O4 - HKCU\..\Run: [rinlrfk] c:\windows\nvbiucj.exe
O4 - HKCU\..\Run: [shwhgqn] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [gosjhrj] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [xebhwai] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [wpsyhff] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [hutytid] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [jhcbsdp] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [qhbtxbb] c:\windows\aethrkf.exe
O4 - HKCU\..\Run: [xfitjml] c:\windows\tlhdrcm.exe
O4 - HKCU\..\Run: [cwyljkq] c:\windows\ddrxspq.exe
O4 - HKCU\..\Run: [urhvhkv] c:\windows\ddrxspq.exe
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe

Launch KillBox.exe & select the following options:

delete on Reboot
end Explorer shell while killing file
unregister dlll before deleting * if it's not grayed out

Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy

C:\WINDOWS\SPCVOEC.EXE
C:\WINDOWS\KRFTGHP.EXE
C:\WINDOWS\RJGPJSA.EXE
C:\WINDOWS\YTQPOLH.EXE
C:\WINDOWS\CCXSKYK.EXE
C:\WINDOWS\OHRLCCD.EXE
C:\WINDOWS\VBLGMVC.EXE
C:\WINDOWS\VPVANPJ.EXE
C:\WINDOWS\WWYOJGQ.EXE
C:\WINDOWS\PWAXVNK.EXE
C:\windows\eixcvha.exe
C:\WINDOWS\bludtba.exe
C:\WINDOWS\bsebvfx.exe
C:\WINDOWS\fyntatb.exe
C:\WINDOWS\neiykrn.exe
C:\WINDOWS\nmawyda.exe
C:\WINDOWS\pulqfcf.exe
C:\WINDOWS\SYSTEM32\arusxaaa.exe
C:\WINDOWS\temp\ASHeuristic\dllupdate.exe.vir
C:\WINDOWS\tpuebwr.exe
C:\windows\ehxwpcs.exe
C:\windows\hjaxsbi.exe
C:\windows\rumxygq.exe
C:\windows\rsfofrr.exe
C:\windows\jtbbphw.exe
C:\windows\cctvvxs.exe
C:\windows\frdrlrw.exe
C:\windows\kthtjmy.exe
C:\windows\smcclrh.exe
C:\windows\jqptcvc.exe
C:\windows\wxcxmeo.exe
C:\windows\jqptcvc.exe
C:\windows\wxcxmeo.exe
C:\windows\cotgdqx.exe
C:\windows\kvqfbsp.exe
C:\windows\crvhvod.exe
C:\windows\ryjodny.exe
C:\windows\heshvsh.exe
C:\windows\sfbimkg.exe
C:\windows\iusuknl.exe
C:\windows\xyhdwko.exe
C:\windows\tuhdsjx.exe
C:\windows\ertkloh.exe
C:\windows\dyakflu.exe
C:\windows\jyquhjm.exe
C:\windows\cdhipuc.exe
C:\windows\uttfmci.exe
C:\windows\apgcqaw.exe
C:\windows\wtotqmx.exe
C:\windows\gheaqxi.exe
C:\windows\uhpejci.exe
C:\windows\rjjgmin.exe
C:\windows\shhpmek.exe
C:\windows\fswsasv.exe
C:\windows\ncvqatb.exe
C:\windows\nvbiucj.exe
C:\windows\aethrkf.exe
C:\windows\tlhdrcm.exe
C:\windows\ddrxspq.exe

* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
(dont be alarmed if some files may be missing. Just let me know which is missing)
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Reboot your computer & perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
- In the scan settings make that the following are selected:
  - Scan using the following Anti-Virus database:
    - Standard
  - Scan Options:
    - Scan Archives
    - Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post along with a fresh HJT log

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Spoonie · 08-24-2005, 06:33 PM

Thanks SUBS:
New logs attached. Just a guess, but I probably need to turn off system restore, HJT delete the R1's, R0's, & HKCU's 04's, killbox the 04's, & C:\WINDOWS\SYSTEM32\pgsqpaaa.exe, then online scan again??
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, August 24, 2005 17:10:11
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/08/2005
Kaspersky Anti-Virus database records: 136861
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 57797
Number of viruses found: 5
Number of infected objects: 32
Number of suspicious objects: 7
Duration of the scan process: 1948 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Yam\Desktop\hijackthis.log Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Yam\Desktop\Logs\hijackthis.log Suspicious: Exploit.HTML.Mht
C:\HijackThis\backups\backup-20050824-162147-952 Suspicious: Exploit.HTML.Mht
C:\HijackThis\hijackthis.log Suspicious: Exploit.HTML.Mht
C:\HijackThis\hijackthis.old Suspicious: Exploit.HTML.Mht
C:\RECYCLER\S-1-5-21-3911012837-3267944438-4148968250-1007\Dc11.txt Suspicious: Exploit.HTML.Mht
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001401.exe Suspicious: PECompact
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001402.exe Infected: Backdoor.Win32.Robobot.k
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0003499.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003569.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003570.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003571.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003572.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003573.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003574.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003575.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003576.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003577.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003578.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003579.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003580.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003581.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003582.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003583.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003584.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003585.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003586.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003587.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003588.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003589.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003590.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003591.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003592.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003593.exe Infected: Trojan.Win32.StartPage.abc
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003594.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\bhqojtb.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\ceygnys.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\ojloqcu.exe Infected: Trojan.Win32.StartPage.abc
C:\WINDOWS\SYSTEM32\pgsqpaaa.exe Infected: Trojan-Downloader.Win32.CWS.g

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 5:12:45 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\windows\bhqojtb.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [peftmpl] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [tqefflc] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [rbnxdpd] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [bfhgpiq] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [pkifhkn] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [ubamflw] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [aqcjrqa] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [ywimxdl] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [dewqede] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [nwudcsc] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [suusxng] c:\windows\ceygnys.exe
O4 - HKCU\..\Run: [yumqusv] c:\windows\ceygnys.exe
O4 - HKCU\..\Run: [knrcpxe] c:\windows\ceygnys.exe
O4 - HKCU\..\Run: [rcnoqbx] c:\windows\ojloqcu.exe
O4 - HKCU\..\Run: [gvdjcia] c:\windows\ojloqcu.exe
O4 - HKCU\..\Run: [nbqjptj] c:\windows\ojloqcu.exe
O4 - HKCU\..\Run: [ufbgqjx] c:\windows\ojloqcu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Spoonie · 08-24-2005, 08:47 PM

OK SUBS:
I turned system restore off, HJT deleted the following, then Killboxed each file.

O4 - HKCU\..\Run: [peftmpl] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [tqefflc] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [rbnxdpd] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [bfhgpiq] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [pkifhkn] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [ubamflw] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [aqcjrqa] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [ywimxdl] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [dewqede] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [nwudcsc] c:\windows\bhqojtb.exe
O4 - HKCU\..\Run: [suusxng] c:\windows\ceygnys.exe
O4 - HKCU\..\Run: [yumqusv] c:\windows\ceygnys.exe
O4 - HKCU\..\Run: [knrcpxe] c:\windows\ceygnys.exe
O4 - HKCU\..\Run: [rcnoqbx] c:\windows\ojloqcu.exe
O4 - HKCU\..\Run: [gvdjcia] c:\windows\ojloqcu.exe
O4 - HKCU\..\Run: [nbqjptj] c:\windows\ojloqcu.exe
O4 - HKCU\..\Run: [ufbgqjx] c:\windows\ojloqcu.exe

I left the C:\WINDOWS\SYSTEM32\pgsqpaaa.exe file which the new Kaspersky scan still reports as infected. Next I ran a Panda ActiveScan.

Below is a fresh HJT log, Kaspersky log, & Panda log

Logfile of HijackThis v1.99.1
Scan saved at 7

47 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sfgate.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, August 24, 2005 18:52:23
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/08/2005
Kaspersky Anti-Virus database records: 136882
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 57122
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 1993 sec

Infected Object Name - Virus Name
C:\WINDOWS\SYSTEM32\pgsqpaaa.exe Infected: Trojan-Downloader.Win32.CWS.g

Scan process completed.

Panda ActiveScan
Incident Status Location

Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Adware:Adware/StartPage.AFK No disinfected C:\WINDOWS\SYSTEM32\shdocvn.dll
Possible Virus. No disinfected C:\WINDOWS\temp\ASHeuristic\dllupdate.exe.vir

Spoonie · 08-24-2005, 10:32 PM

Kaspersky scan log is clean. Panda Scan 3 files.

Logfile of HijackThis v1.99.1
Scan saved at 9:23:20 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sfgate.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, August 24, 2005 20:44:55
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/08/2005
Kaspersky Anti-Virus database records: 136890
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 57598
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1990 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

Panda Online Scan Results
-------------------------
Incident Status Location

Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Adware:Adware/StartPage.AFK No disinfected C:\WINDOWS\SYSTEM32\shdocvn.dll
Possible Virus. No disinfected C:\WINDOWS\temp\ASHeuristic\dllupdate.exe.vir

sUBs · 08-25-2005, 12:14 AM

Good work

Self-help seems to be working well. You saved me a lot of work

Have Killbox remove - C:\WINDOWS\SYSTEM32\shdocvn.dll
Use these settings:

Replace on Reboot
Use Dummy
end Explorer shell while killing file
unregister dlll before deleting * if it's not grayed out

After you have rebooted, run CleanUp!

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE
Go to Start >> Run - type sysdm.cpl & press Enter
- Select the System Restore Tab
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

Spoonie · 08-25-2005, 01:22 AM

Quote:

Originally Posted by SUBS

DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files
Click Yes to confirm & then click OK

If I'm disabling the viewing of system files, shouldn't all 3 be "ticked"?

Thanks for all the help SUBS!!!!

sUBs · 08-25-2005, 01:27 AM

Thanks for pointing that out..

DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.

Untick - Show hidden files and folder
Tick - Hide file extensions for known types
Tick - Hide protected operating system files

Click Yes to confirm & then click OK

Spoonie · 08-25-2005, 01:37 AM

Thought so.

Thanks again. Great site!!!

Abssearch4u Resolved!!!!

08-22-2005, 02:01 AM	#1 (permalink)
Spoonie Registered User Join Date: Aug 2005 Posts: 13 OS: Win/XP	HJT Log for Abcsearch4u Have downloaded all the programs mentioned in the following thread. Will proceed after your review. Thanks http://www.techsupportforum.com/comp...c/55123-1.html HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 12:32:24 AM, on 8/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\inet20081\services.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\WINDOWS\system\winlgon.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\winsocks5.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\windows\ckbbphc.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\ServicePackFiles\i386\IExplore.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\mm1.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F3 - REG:win.ini: run=C:\WINDOWS\inet20081\services.exe O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [.service] C:\WINDOWS\system\winlgon.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [jxeobpum] C:\WINDOWS\System32\jxeobpum.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\winsocks5.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [mroceul] c:\windows\ckbbphc.exe O4 - HKCU\..\Run: [jxeobpum] C:\WINDOWS\System32\jxeobpum.exe O4 - HKCU\..\Run: [jlsbttw] c:\windows\ckbbphc.exe O4 - HKCU\..\Run: [mywsppr] c:\windows\fyntatb.exe O4 - HKCU\..\Run: [eysikgj] c:\windows\fyntatb.exe O4 - HKCU\..\Run: [wfrqolu] c:\windows\fyntatb.exe O4 - HKCU\..\Run: [kkxbeao] c:\windows\fyntatb.exe O4 - HKCU\..\Run: [sswfxiq] c:\windows\fyntatb.exe O4 - HKCU\..\Run: [ivjbpox] c:\windows\bsebvfx.exe O4 - HKCU\..\Run: [ybmcflj] c:\windows\bsebvfx.exe O4 - HKCU\..\Run: [csgxbut] c:\windows\bsebvfx.exe O4 - HKCU\..\Run: [pbpduyy] c:\windows\bsebvfx.exe O4 - HKCU\..\Run: [vgiprip] c:\windows\bsebvfx.exe O4 - HKCU\..\Run: [gviaugi] c:\windows\tpuebwr.exe O4 - HKCU\..\Run: [ehhysxu] c:\windows\tpuebwr.exe O4 - HKCU\..\Run: [wrneiht] c:\windows\pulqfcf.exe O4 - HKCU\..\Run: [goqbiqs] c:\windows\pulqfcf.exe O4 - HKCU\..\Run: [tcpvbdj] c:\windows\pulqfcf.exe O4 - HKCU\..\Run: [uawfqyb] c:\windows\pulqfcf.exe O4 - HKCU\..\Run: [cqgvavr] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [nnfftsu] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [oacauqr] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [utnbmvh] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [xcuntqm] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [lindfii] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [halqcju] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [bfodrkf] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [lfbdobv] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [mgvqqlf] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [tsginnb] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [bcoqtyp] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [qalxslp] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [mynbaqb] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [conkdcm] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [gjlsscs] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [socsayx] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [nguyxhr] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [vdidyhn] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [wofvnfj] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [ohjnykb] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [iyejvsx] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [pilcpsn] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [tavoevu] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [bbechth] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [qlxcvlm] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [bsrfnrb] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [ibidkwu] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [rhnvhcc] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [uoiltka] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [tqnfnep] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [iemedpj] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [xlvglyv] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [cbpetdb] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [mgeigfr] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [dhyoryx] c:\windows\nmawyda.exe O4 - HKCU\..\Run: [kmjghck] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [mudcwfa] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [oupsxwh] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [njsivxm] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [plspbqq] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [rxlhdxq] c:\windows\hjaxsbi.exe O4 - HKCU\..\Run: [jyoloii] c:\windows\hjaxsbi.exe O4 - HKCU\..\Run: [ngcsdgs] c:\windows\rumxygq.exe O4 - HKCU\..\Run: [vvpspak] c:\windows\rumxygq.exe O4 - HKCU\..\Run: [jddelcp] c:\windows\rsfofrr.exe O4 - HKCU\..\Run: [kunppfw] c:\windows\jtbbphw.exe O4 - HKCU\..\Run: [vpcnsen] c:\windows\cctvvxs.exe O4 - HKCU\..\Run: [fogpowx] c:\windows\frdrlrw.exe O4 - HKCU\..\Run: [bmdwtrl] c:\windows\kthtjmy.exe O4 - HKCU\..\Run: [wgcpfaw] c:\windows\kthtjmy.exe O4 - HKCU\..\Run: [xcuesgb] c:\windows\smcclrh.exe O4 - HKCU\..\Run: [rmcjiid] c:\windows\smcclrh.exe O4 - HKCU\..\Run: [vyeoexn] c:\windows\jqptcvc.exe O4 - HKCU\..\Run: [aqkpcxd] c:\windows\wxcxmeo.exe O4 - HKCU\..\Run: [ychrvmi] c:\windows\jqptcvc.exe O4 - HKCU\..\Run: [eqeghbv] c:\windows\wxcxmeo.exe O4 - HKCU\..\Run: [affijos] c:\windows\cotgdqx.exe O4 - HKCU\..\Run: [lniltrg] c:\windows\cotgdqx.exe O4 - HKCU\..\Run: [flqiyte] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [sssqsot] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [wscrpvw] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [qxqgpkq] c:\windows\crvhvod.exe O4 - HKCU\..\Run: [meuemcx] c:\windows\ryjodny.exe O4 - HKCU\..\Run: [prhsihs] c:\windows\ryjodny.exe O4 - HKCU\..\Run: [ydmhyuo] c:\windows\heshvsh.exe O4 - HKCU\..\Run: [noaapiw] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [kqdcmrv] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [bllwney] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [xdfkqwf] c:\windows\iusuknl.exe O4 - HKCU\..\Run: [jkdpmwe] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [vnlohmb] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [ahusrth] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [ufslyur] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [jfprcsj] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [hkagimf] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [tiyjowl] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [pfkqdpm] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [jekqtxx] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [lbsngkk] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [bxvvgae] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [vcydumn] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [cprdfws] c:\windows\tuhdsjx.exe O4 - HKCU\..\Run: [qjtwblu] c:\windows\ertkloh.exe O4 - HKCU\..\Run: [adhrbtm] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [uyxtbxi] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [gsutcyh] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [iyxraqv] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [ephvflp] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [erpouxk] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [gsdgbea] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [vhxdtmh] c:\windows\jyquhjm.exe O4 - HKCU\..\Run: [guyxqga] c:\windows\jyquhjm.exe O4 - HKCU\..\Run: [yarybsq] c:\windows\cdhipuc.exe O4 - HKCU\..\Run: [lwrpujk] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ihhqkvh] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [vluywwk] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [bxhmoaq] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [pgwmbyi] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe O4 - HKCU\..\Run: [ijnquan] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [aynhspq] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ttrgqlb] c:\windows\apgcqaw.exe O4 - HKCU\..\Run: [vrubjcy] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [kqqfxnk] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [pliomry] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [lepfmln] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [temvoco] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [smydscn] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [vwxfdwv] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [drpjvij] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [sjcmrps] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [irnyxfi] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [jktnsdp] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [kqwdywc] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [fplufjn] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [fbqrdtq] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [ftdsveg] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [trqghky] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [rvbasgf] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [hxdfyll] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [mguttov] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [smxkdwr] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [xiynner] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [aeeycoj] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [gektqbp] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [oiripjt] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [lvxvylk] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [uioutex] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [avyuwrv] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [ojxyyqd] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [wivpivr] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [hflbpns] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [osjkakv] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [nbxvfvf] c:\windows\rjjgmin.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

08-23-2005, 03:35 AM	#3 (permalink)
Spoonie Registered User Join Date: Aug 2005 Posts: 13 OS: Win/XP	Fresh Logs Here's the fresh logs. As you can see, "Abc" is still bothering me. Thanks Logfile of HijackThis v1.99.1 Scan saved at 12:36:48 AM, on 8/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\windows\eixcvha.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKCU\..\Run: [kmjghck] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [mudcwfa] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [oupsxwh] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [njsivxm] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [plspbqq] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [rxlhdxq] c:\windows\hjaxsbi.exe O4 - HKCU\..\Run: [jyoloii] c:\windows\hjaxsbi.exe O4 - HKCU\..\Run: [ngcsdgs] c:\windows\rumxygq.exe O4 - HKCU\..\Run: [vvpspak] c:\windows\rumxygq.exe O4 - HKCU\..\Run: [jddelcp] c:\windows\rsfofrr.exe O4 - HKCU\..\Run: [kunppfw] c:\windows\jtbbphw.exe O4 - HKCU\..\Run: [vpcnsen] c:\windows\cctvvxs.exe O4 - HKCU\..\Run: [fogpowx] c:\windows\frdrlrw.exe O4 - HKCU\..\Run: [bmdwtrl] c:\windows\kthtjmy.exe O4 - HKCU\..\Run: [wgcpfaw] c:\windows\kthtjmy.exe O4 - HKCU\..\Run: [xcuesgb] c:\windows\smcclrh.exe O4 - HKCU\..\Run: [rmcjiid] c:\windows\smcclrh.exe O4 - HKCU\..\Run: [vyeoexn] c:\windows\jqptcvc.exe O4 - HKCU\..\Run: [aqkpcxd] c:\windows\wxcxmeo.exe O4 - HKCU\..\Run: [ychrvmi] c:\windows\jqptcvc.exe O4 - HKCU\..\Run: [eqeghbv] c:\windows\wxcxmeo.exe O4 - HKCU\..\Run: [affijos] c:\windows\cotgdqx.exe O4 - HKCU\..\Run: [lniltrg] c:\windows\cotgdqx.exe O4 - HKCU\..\Run: [flqiyte] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [sssqsot] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [wscrpvw] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [qxqgpkq] c:\windows\crvhvod.exe O4 - HKCU\..\Run: [meuemcx] c:\windows\ryjodny.exe O4 - HKCU\..\Run: [prhsihs] c:\windows\ryjodny.exe O4 - HKCU\..\Run: [ydmhyuo] c:\windows\heshvsh.exe O4 - HKCU\..\Run: [noaapiw] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [kqdcmrv] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [bllwney] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [xdfkqwf] c:\windows\iusuknl.exe O4 - HKCU\..\Run: [jkdpmwe] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [vnlohmb] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [ahusrth] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [ufslyur] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [jfprcsj] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [hkagimf] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [tiyjowl] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [pfkqdpm] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [jekqtxx] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [lbsngkk] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [bxvvgae] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [vcydumn] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [cprdfws] c:\windows\tuhdsjx.exe O4 - HKCU\..\Run: [qjtwblu] c:\windows\ertkloh.exe O4 - HKCU\..\Run: [adhrbtm] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [uyxtbxi] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [gsutcyh] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [iyxraqv] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [ephvflp] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [erpouxk] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [gsdgbea] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [vhxdtmh] c:\windows\jyquhjm.exe O4 - HKCU\..\Run: [guyxqga] c:\windows\jyquhjm.exe O4 - HKCU\..\Run: [yarybsq] c:\windows\cdhipuc.exe O4 - HKCU\..\Run: [lwrpujk] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ihhqkvh] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [vluywwk] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [bxhmoaq] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [pgwmbyi] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ijnquan] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [aynhspq] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ttrgqlb] c:\windows\apgcqaw.exe O4 - HKCU\..\Run: [vrubjcy] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [kqqfxnk] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [pliomry] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [lepfmln] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [temvoco] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [smydscn] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [vwxfdwv] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [drpjvij] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [sjcmrps] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [irnyxfi] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [jktnsdp] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [kqwdywc] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [fplufjn] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [fbqrdtq] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [ftdsveg] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [trqghky] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [rvbasgf] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [hxdfyll] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [mguttov] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [smxkdwr] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [xiynner] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [aeeycoj] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [gektqbp] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [oiripjt] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [lvxvylk] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [uioutex] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [avyuwrv] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [ojxyyqd] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [wivpivr] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [hflbpns] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [osjkakv] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [nbxvfvf] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [peswypq] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [cnjnstf] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [idhpwbv] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [nqoevns] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [mbhpecc] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [mmofckl] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [awrvxxg] c:\windows\pwaxvnk.exe O4 - HKCU\..\Run: [gemnyvx] c:\windows\pwaxvnk.exe O4 - HKCU\..\Run: [rtqtnhj] c:\windows\wwyojgq.exe O4 - HKCU\..\Run: [kuxmqbs] c:\windows\vpvanpj.exe O4 - HKCU\..\Run: [yjchmgf] c:\windows\vpvanpj.exe O4 - HKCU\..\Run: [trtbvde] c:\windows\vblgmvc.exe O4 - HKCU\..\Run: [ccnvnck] c:\windows\vblgmvc.exe O4 - HKCU\..\Run: [maesnfw] c:\windows\ohrlccd.exe O4 - HKCU\..\Run: [yepqtef] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [ctnoxnt] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [biyttql] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [uflbipx] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [edxkven] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [lpernbx] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [kusntmr] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [ylosaxx] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [vvutonp] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [rfbtlhl] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [csgxfof] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [nqsooqm] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [sgdlquk] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [dbkmgrw] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [yubfgom] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [jigtpua] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nwhyrdw] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [lkvmyvf] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [rcvboew] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [ravokft] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nkkvwcr] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [hfxtxjp] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nkigohe] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [ncilvci] c:\windows\krftghp.exe O4 - HKCU\..\Run: [jbihyij] c:\windows\krftghp.exe O4 - HKCU\..\Run: [khxaojc] c:\windows\krftghp.exe O4 - HKCU\..\Run: [occamjm] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ujheakm] c:\windows\krftghp.exe O4 - HKCU\..\Run: [hmrlsfh] c:\windows\krftghp.exe O4 - HKCU\..\Run: [llsajew] c:\windows\krftghp.exe O4 - HKCU\..\Run: [mwlvxjj] c:\windows\krftghp.exe O4 - HKCU\..\Run: [biseeyl] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ndgnpfe] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ppasohg] c:\windows\krftghp.exe O4 - HKCU\..\Run: [wfvwhka] c:\windows\krftghp.exe O4 - HKCU\..\Run: [civnrsx] c:\windows\krftghp.exe O4 - HKCU\..\Run: [afomidc] c:\windows\spcvoec.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Panda Online Scan Incident Status Location Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\SPCVOEC.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\KRFTGHP.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\RJGPJSA.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\YTQPOLH.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\CCXSKYK.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\OHRLCCD.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\VBLGMVC.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\VPVANPJ.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\WWYOJGQ.EXE Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\PWAXVNK.EXE Adware:Adware/Startpage.WH No disinfected C:\windows\eixcvha.exe Adware:adware/findspy No disinfected C:\DOCUMENTS AND SETTINGS\YAM\FAVORITES\ FREE Access to 800 Paid sites.url Adware:adware/topsearch4u No disinfected Windows Registry Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\bludtba.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\bsebvfx.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\ccxskyk.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\eixcvha.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\fyntatb.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\krftghp.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\neiykrn.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\nmawyda.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\ohrlccd.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\pulqfcf.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\pwaxvnk.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\rjgpjsa.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\spcvoec.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\SYSTEM32\arusxaaa.exe Adware:Adware/StartPage.AFK No disinfected C:\WINDOWS\SYSTEM32\shdocvn.dll Possible Virus. No disinfected C:\WINDOWS\temp\ASHeuristic\dllupdate.exe.vir Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\tpuebwr.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\vblgmvc.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\vpvanpj.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\wwyojgq.exe Adware:Adware/Startpage.WH No disinfected C:\WINDOWS\ytqpolh.exe Antispyware.Log Started Scanning Internet Cookies Programs in Memory Windows Registry Internet URL Shortcuts Found ' Free Spy Cam - Realtime.url' in 'C:\Documents and Settings\Yam\Favorites\' Found ' FREE Access to 800 Paid sites.url' in 'C:\Documents and Settings\Yam\Favorites\' Files and Directories Finished Scanning Started Backup Finished Backup Started Cleaning Finished Cleaning AB Log Scanned at: 1:17:49 AM on: 8/23/2005 -- Scan 1 --------------------------- About:Buster Version 4.0 Reference List : 31 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! -- Scan 2 --------------------------- About:Buster Version 4.0 Reference List : 31 No ADS found on system Attempted Clean Of Temp folder. Pages Reset... Done! --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 2:18:29 AM, 8/23/2005 + Report-Checksum: EC8473B8 + Scan result: No infected objects found. ::Report End smitRem log file version 2.3 by noahdfear The current date is: Tue 08/23/2005 The current time is: 1:20:17.18 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Post-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) Last edited by Spoonie; 08-23-2005 at 03:38 AM.

08-23-2005, 08:58 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,326 OS: N/A	I require Ewido's logs before we can proceed to the next stage. __________________ Question - what have you done for the community today?

08-23-2005, 11:32 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,326 OS: N/A	Sorry about that. I must be suffering premature blindness I did try looking for it but couldnt see it till now No need to re-do the test. Have Hijackthis fix these entries:(make sure your browser is closed before clicking Fix check) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/ O4 - HKCU\..\Run: [kmjghck] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [mudcwfa] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [oupsxwh] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [njsivxm] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [plspbqq] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [rxlhdxq] c:\windows\hjaxsbi.exe O4 - HKCU\..\Run: [jyoloii] c:\windows\hjaxsbi.exe O4 - HKCU\..\Run: [ngcsdgs] c:\windows\rumxygq.exe O4 - HKCU\..\Run: [vvpspak] c:\windows\rumxygq.exe O4 - HKCU\..\Run: [jddelcp] c:\windows\rsfofrr.exe O4 - HKCU\..\Run: [kunppfw] c:\windows\jtbbphw.exe O4 - HKCU\..\Run: [vpcnsen] c:\windows\cctvvxs.exe O4 - HKCU\..\Run: [fogpowx] c:\windows\frdrlrw.exe O4 - HKCU\..\Run: [bmdwtrl] c:\windows\kthtjmy.exe O4 - HKCU\..\Run: [wgcpfaw] c:\windows\kthtjmy.exe O4 - HKCU\..\Run: [xcuesgb] c:\windows\smcclrh.exe O4 - HKCU\..\Run: [rmcjiid] c:\windows\smcclrh.exe O4 - HKCU\..\Run: [vyeoexn] c:\windows\jqptcvc.exe O4 - HKCU\..\Run: [aqkpcxd] c:\windows\wxcxmeo.exe O4 - HKCU\..\Run: [ychrvmi] c:\windows\jqptcvc.exe O4 - HKCU\..\Run: [eqeghbv] c:\windows\wxcxmeo.exe O4 - HKCU\..\Run: [affijos] c:\windows\cotgdqx.exe O4 - HKCU\..\Run: [lniltrg] c:\windows\cotgdqx.exe O4 - HKCU\..\Run: [flqiyte] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [sssqsot] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [wscrpvw] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [qxqgpkq] c:\windows\crvhvod.exe O4 - HKCU\..\Run: [meuemcx] c:\windows\ryjodny.exe O4 - HKCU\..\Run: [prhsihs] c:\windows\ryjodny.exe O4 - HKCU\..\Run: [ydmhyuo] c:\windows\heshvsh.exe O4 - HKCU\..\Run: [noaapiw] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [kqdcmrv] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [bllwney] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [xdfkqwf] c:\windows\iusuknl.exe O4 - HKCU\..\Run: [jkdpmwe] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [vnlohmb] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [ahusrth] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [ufslyur] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [jfprcsj] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [hkagimf] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [tiyjowl] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [pfkqdpm] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [jekqtxx] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [lbsngkk] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [bxvvgae] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [vcydumn] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [cprdfws] c:\windows\tuhdsjx.exe O4 - HKCU\..\Run: [qjtwblu] c:\windows\ertkloh.exe O4 - HKCU\..\Run: [adhrbtm] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [uyxtbxi] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [gsutcyh] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [iyxraqv] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [ephvflp] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [erpouxk] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [gsdgbea] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [vhxdtmh] c:\windows\jyquhjm.exe O4 - HKCU\..\Run: [guyxqga] c:\windows\jyquhjm.exe O4 - HKCU\..\Run: [yarybsq] c:\windows\cdhipuc.exe O4 - HKCU\..\Run: [lwrpujk] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ihhqkvh] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [vluywwk] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [bxhmoaq] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [pgwmbyi] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ijnquan] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [aynhspq] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ttrgqlb] c:\windows\apgcqaw.exe O4 - HKCU\..\Run: [vrubjcy] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [kqqfxnk] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [pliomry] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [lepfmln] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [temvoco] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [smydscn] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [vwxfdwv] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [drpjvij] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [sjcmrps] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [irnyxfi] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [jktnsdp] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [kqwdywc] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [fplufjn] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [fbqrdtq] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [ftdsveg] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [trqghky] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [rvbasgf] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [hxdfyll] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [mguttov] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [smxkdwr] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [xiynner] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [aeeycoj] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [gektqbp] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [oiripjt] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [lvxvylk] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [uioutex] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [avyuwrv] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [ojxyyqd] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [wivpivr] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [hflbpns] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [osjkakv] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [nbxvfvf] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [peswypq] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [cnjnstf] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [idhpwbv] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [nqoevns] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [mbhpecc] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [mmofckl] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [awrvxxg] c:\windows\pwaxvnk.exe O4 - HKCU\..\Run: [gemnyvx] c:\windows\pwaxvnk.exe O4 - HKCU\..\Run: [rtqtnhj] c:\windows\wwyojgq.exe O4 - HKCU\..\Run: [kuxmqbs] c:\windows\vpvanpj.exe O4 - HKCU\..\Run: [yjchmgf] c:\windows\vpvanpj.exe O4 - HKCU\..\Run: [trtbvde] c:\windows\vblgmvc.exe O4 - HKCU\..\Run: [ccnvnck] c:\windows\vblgmvc.exe O4 - HKCU\..\Run: [maesnfw] c:\windows\ohrlccd.exe O4 - HKCU\..\Run: [yepqtef] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [ctnoxnt] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [biyttql] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [uflbipx] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [edxkven] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [lpernbx] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [kusntmr] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [ylosaxx] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [vvutonp] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [rfbtlhl] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [csgxfof] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [nqsooqm] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [sgdlquk] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [dbkmgrw] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [yubfgom] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [jigtpua] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nwhyrdw] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [lkvmyvf] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [rcvboew] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [ravokft] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nkkvwcr] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [hfxtxjp] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nkigohe] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [ncilvci] c:\windows\krftghp.exe O4 - HKCU\..\Run: [jbihyij] c:\windows\krftghp.exe O4 - HKCU\..\Run: [khxaojc] c:\windows\krftghp.exe O4 - HKCU\..\Run: [occamjm] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ujheakm] c:\windows\krftghp.exe O4 - HKCU\..\Run: [hmrlsfh] c:\windows\krftghp.exe O4 - HKCU\..\Run: [llsajew] c:\windows\krftghp.exe O4 - HKCU\..\Run: [mwlvxjj] c:\windows\krftghp.exe O4 - HKCU\..\Run: [biseeyl] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ndgnpfe] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ppasohg] c:\windows\krftghp.exe O4 - HKCU\..\Run: [wfvwhka] c:\windows\krftghp.exe O4 - HKCU\..\Run: [civnrsx] c:\windows\krftghp.exe O4 - HKCU\..\Run: [afomidc] c:\windows\spcvoec.exe O4 - HKCU\..\Run: [qdujhin] c:\windows\spcvoec.exe O4 - HKCU\..\Run: [fbdoysk] c:\windows\spcvoec.exe O4 - HKCU\..\Run: [xrfdhas] c:\windows\spcvoec.exe O4 - HKCU\..\Run: [fadvvoq] c:\windows\shhpmek.exe O4 - HKCU\..\Run: [uxhlunp] c:\windows\shhpmek.exe O4 - HKCU\..\Run: [uttdhec] c:\windows\shhpmek.exe O4 - HKCU\..\Run: [vjllykv] c:\windows\fswsasv.exe O4 - HKCU\..\Run: [qjexqlw] c:\windows\fswsasv.exe O4 - HKCU\..\Run: [ryhsumv] c:\windows\fswsasv.exe O4 - HKCU\..\Run: [ohldvrn] c:\windows\ncvqatb.exe O4 - HKCU\..\Run: [joithjb] c:\windows\nvbiucj.exe O4 - HKCU\..\Run: [rinlrfk] c:\windows\nvbiucj.exe O4 - HKCU\..\Run: [shwhgqn] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [gosjhrj] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [xebhwai] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [wpsyhff] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [hutytid] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [jhcbsdp] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [qhbtxbb] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [xfitjml] c:\windows\tlhdrcm.exe O4 - HKCU\..\Run: [cwyljkq] c:\windows\ddrxspq.exe O4 - HKCU\..\Run: [urhvhkv] c:\windows\ddrxspq.exe O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe Launch KillBox.exe & select the following options: delete on Reboot end Explorer shell while killing file unregister dlll before deleting * if it's not grayed out Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy C:\WINDOWS\SPCVOEC.EXE C:\WINDOWS\KRFTGHP.EXE C:\WINDOWS\RJGPJSA.EXE C:\WINDOWS\YTQPOLH.EXE C:\WINDOWS\CCXSKYK.EXE C:\WINDOWS\OHRLCCD.EXE C:\WINDOWS\VBLGMVC.EXE C:\WINDOWS\VPVANPJ.EXE C:\WINDOWS\WWYOJGQ.EXE C:\WINDOWS\PWAXVNK.EXE C:\windows\eixcvha.exe C:\WINDOWS\bludtba.exe C:\WINDOWS\bsebvfx.exe C:\WINDOWS\fyntatb.exe C:\WINDOWS\neiykrn.exe C:\WINDOWS\nmawyda.exe C:\WINDOWS\pulqfcf.exe C:\WINDOWS\SYSTEM32\arusxaaa.exe C:\WINDOWS\temp\ASHeuristic\dllupdate.exe.vir C:\WINDOWS\tpuebwr.exe C:\windows\ehxwpcs.exe C:\windows\hjaxsbi.exe C:\windows\rumxygq.exe C:\windows\rsfofrr.exe C:\windows\jtbbphw.exe C:\windows\cctvvxs.exe C:\windows\frdrlrw.exe C:\windows\kthtjmy.exe C:\windows\smcclrh.exe C:\windows\jqptcvc.exe C:\windows\wxcxmeo.exe C:\windows\jqptcvc.exe C:\windows\wxcxmeo.exe C:\windows\cotgdqx.exe C:\windows\kvqfbsp.exe C:\windows\crvhvod.exe C:\windows\ryjodny.exe C:\windows\heshvsh.exe C:\windows\sfbimkg.exe C:\windows\iusuknl.exe C:\windows\xyhdwko.exe C:\windows\tuhdsjx.exe C:\windows\ertkloh.exe C:\windows\dyakflu.exe C:\windows\jyquhjm.exe C:\windows\cdhipuc.exe C:\windows\uttfmci.exe C:\windows\apgcqaw.exe C:\windows\wtotqmx.exe C:\windows\gheaqxi.exe C:\windows\uhpejci.exe C:\windows\rjjgmin.exe C:\windows\shhpmek.exe C:\windows\fswsasv.exe C:\windows\ncvqatb.exe C:\windows\nvbiucj.exe C:\windows\aethrkf.exe C:\windows\tlhdrcm.exe C:\windows\ddrxspq.exe * Go to the File menu, and choose Paste from Clipboard * Click on the dropdown menu next to Full Path of File to Delete field. * Verify that the filenames you pasted are found there (dont be alarmed if some files may be missing. Just let me know which is missing) * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Reboot your computer & perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan:Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post along with a fresh HJT log * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Question - what have you done for the community today?

08-24-2005, 06:33 PM	#9 (permalink)
Spoonie Registered User Join Date: Aug 2005 Posts: 13 OS: Win/XP	Thanks SUBS: New logs attached. Just a guess, but I probably need to turn off system restore, HJT delete the R1's, R0's, & HKCU's 04's, killbox the 04's, & C:\WINDOWS\SYSTEM32\pgsqpaaa.exe, then online scan again?? ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, August 24, 2005 17:10:11 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 25/08/2005 Kaspersky Anti-Virus database records: 136861 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 57797 Number of viruses found: 5 Number of infected objects: 32 Number of suspicious objects: 7 Duration of the scan process: 1948 sec Infected Object Name - Virus Name C:\Documents and Settings\Yam\Desktop\hijackthis.log Suspicious: Exploit.HTML.Mht C:\Documents and Settings\Yam\Desktop\Logs\hijackthis.log Suspicious: Exploit.HTML.Mht C:\HijackThis\backups\backup-20050824-162147-952 Suspicious: Exploit.HTML.Mht C:\HijackThis\hijackthis.log Suspicious: Exploit.HTML.Mht C:\HijackThis\hijackthis.old Suspicious: Exploit.HTML.Mht C:\RECYCLER\S-1-5-21-3911012837-3267944438-4148968250-1007\Dc11.txt Suspicious: Exploit.HTML.Mht C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001401.exe Suspicious: PECompact C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0001402.exe Infected: Backdoor.Win32.Robobot.k C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0003499.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003569.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003570.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003571.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003572.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003573.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003574.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003575.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003576.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003577.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003578.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003579.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003580.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003581.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003582.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003583.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003584.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003585.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003586.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003587.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003588.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003589.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003590.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003591.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003592.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003593.exe Infected: Trojan.Win32.StartPage.abc C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0003594.exe Infected: Trojan.Win32.StartPage.abc C:\WINDOWS\bhqojtb.exe Infected: Trojan.Win32.StartPage.abc C:\WINDOWS\ceygnys.exe Infected: Trojan.Win32.StartPage.abc C:\WINDOWS\ojloqcu.exe Infected: Trojan.Win32.StartPage.abc C:\WINDOWS\SYSTEM32\pgsqpaaa.exe Infected: Trojan-Downloader.Win32.CWS.g Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 5:12:45 PM, on 8/24/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\windows\bhqojtb.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKCU\..\Run: [peftmpl] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [tqefflc] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [rbnxdpd] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [bfhgpiq] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [pkifhkn] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [ubamflw] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [aqcjrqa] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [ywimxdl] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [dewqede] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [nwudcsc] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [suusxng] c:\windows\ceygnys.exe O4 - HKCU\..\Run: [yumqusv] c:\windows\ceygnys.exe O4 - HKCU\..\Run: [knrcpxe] c:\windows\ceygnys.exe O4 - HKCU\..\Run: [rcnoqbx] c:\windows\ojloqcu.exe O4 - HKCU\..\Run: [gvdjcia] c:\windows\ojloqcu.exe O4 - HKCU\..\Run: [nbqjptj] c:\windows\ojloqcu.exe O4 - HKCU\..\Run: [ufbgqjx] c:\windows\ojloqcu.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Last edited by Spoonie; 08-24-2005 at 06:43 PM.

08-23-2005, 07:45 PM	#7 (permalink)
Spoonie Registered User Join Date: Aug 2005 Posts: 13 OS: Win/XP	If I need to start over, here's a current Hjt log Logfile of HijackThis v1.99.1 Scan saved at 6:42:51 PM, on 8/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKCU\..\Run: [kmjghck] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [mudcwfa] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [oupsxwh] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [njsivxm] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [plspbqq] c:\windows\ehxwpcs.exe O4 - HKCU\..\Run: [rxlhdxq] c:\windows\hjaxsbi.exe O4 - HKCU\..\Run: [jyoloii] c:\windows\hjaxsbi.exe O4 - HKCU\..\Run: [ngcsdgs] c:\windows\rumxygq.exe O4 - HKCU\..\Run: [vvpspak] c:\windows\rumxygq.exe O4 - HKCU\..\Run: [jddelcp] c:\windows\rsfofrr.exe O4 - HKCU\..\Run: [kunppfw] c:\windows\jtbbphw.exe O4 - HKCU\..\Run: [vpcnsen] c:\windows\cctvvxs.exe O4 - HKCU\..\Run: [fogpowx] c:\windows\frdrlrw.exe O4 - HKCU\..\Run: [bmdwtrl] c:\windows\kthtjmy.exe O4 - HKCU\..\Run: [wgcpfaw] c:\windows\kthtjmy.exe O4 - HKCU\..\Run: [xcuesgb] c:\windows\smcclrh.exe O4 - HKCU\..\Run: [rmcjiid] c:\windows\smcclrh.exe O4 - HKCU\..\Run: [vyeoexn] c:\windows\jqptcvc.exe O4 - HKCU\..\Run: [aqkpcxd] c:\windows\wxcxmeo.exe O4 - HKCU\..\Run: [ychrvmi] c:\windows\jqptcvc.exe O4 - HKCU\..\Run: [eqeghbv] c:\windows\wxcxmeo.exe O4 - HKCU\..\Run: [affijos] c:\windows\cotgdqx.exe O4 - HKCU\..\Run: [lniltrg] c:\windows\cotgdqx.exe O4 - HKCU\..\Run: [flqiyte] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [sssqsot] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [wscrpvw] c:\windows\kvqfbsp.exe O4 - HKCU\..\Run: [qxqgpkq] c:\windows\crvhvod.exe O4 - HKCU\..\Run: [meuemcx] c:\windows\ryjodny.exe O4 - HKCU\..\Run: [prhsihs] c:\windows\ryjodny.exe O4 - HKCU\..\Run: [ydmhyuo] c:\windows\heshvsh.exe O4 - HKCU\..\Run: [noaapiw] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [kqdcmrv] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [bllwney] c:\windows\sfbimkg.exe O4 - HKCU\..\Run: [xdfkqwf] c:\windows\iusuknl.exe O4 - HKCU\..\Run: [jkdpmwe] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [vnlohmb] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [ahusrth] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [ufslyur] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [jfprcsj] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [hkagimf] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [tiyjowl] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [pfkqdpm] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [jekqtxx] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [lbsngkk] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [bxvvgae] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [vcydumn] c:\windows\xyhdwko.exe O4 - HKCU\..\Run: [cprdfws] c:\windows\tuhdsjx.exe O4 - HKCU\..\Run: [qjtwblu] c:\windows\ertkloh.exe O4 - HKCU\..\Run: [adhrbtm] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [uyxtbxi] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [gsutcyh] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [iyxraqv] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [ephvflp] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [erpouxk] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [gsdgbea] c:\windows\dyakflu.exe O4 - HKCU\..\Run: [vhxdtmh] c:\windows\jyquhjm.exe O4 - HKCU\..\Run: [guyxqga] c:\windows\jyquhjm.exe O4 - HKCU\..\Run: [yarybsq] c:\windows\cdhipuc.exe O4 - HKCU\..\Run: [lwrpujk] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ihhqkvh] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [vluywwk] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [bxhmoaq] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [pgwmbyi] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ijnquan] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [aynhspq] c:\windows\uttfmci.exe O4 - HKCU\..\Run: [ttrgqlb] c:\windows\apgcqaw.exe O4 - HKCU\..\Run: [vrubjcy] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [kqqfxnk] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [pliomry] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [lepfmln] c:\windows\wtotqmx.exe O4 - HKCU\..\Run: [temvoco] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [smydscn] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [vwxfdwv] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [drpjvij] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [sjcmrps] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [irnyxfi] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [jktnsdp] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [kqwdywc] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [fplufjn] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [fbqrdtq] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [ftdsveg] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [trqghky] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [rvbasgf] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [hxdfyll] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [mguttov] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [smxkdwr] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [xiynner] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [aeeycoj] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [gektqbp] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [oiripjt] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [lvxvylk] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [uioutex] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [avyuwrv] c:\windows\gheaqxi.exe O4 - HKCU\..\Run: [ojxyyqd] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [wivpivr] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [hflbpns] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [osjkakv] c:\windows\uhpejci.exe O4 - HKCU\..\Run: [nbxvfvf] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [peswypq] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [cnjnstf] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [idhpwbv] c:\windows\rjjgmin.exe O4 - HKCU\..\Run: [nqoevns] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [mbhpecc] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [mmofckl] c:\windows\eixcvha.exe O4 - HKCU\..\Run: [awrvxxg] c:\windows\pwaxvnk.exe O4 - HKCU\..\Run: [gemnyvx] c:\windows\pwaxvnk.exe O4 - HKCU\..\Run: [rtqtnhj] c:\windows\wwyojgq.exe O4 - HKCU\..\Run: [kuxmqbs] c:\windows\vpvanpj.exe O4 - HKCU\..\Run: [yjchmgf] c:\windows\vpvanpj.exe O4 - HKCU\..\Run: [trtbvde] c:\windows\vblgmvc.exe O4 - HKCU\..\Run: [ccnvnck] c:\windows\vblgmvc.exe O4 - HKCU\..\Run: [maesnfw] c:\windows\ohrlccd.exe O4 - HKCU\..\Run: [yepqtef] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [ctnoxnt] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [biyttql] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [uflbipx] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [edxkven] c:\windows\ccxskyk.exe O4 - HKCU\..\Run: [lpernbx] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [kusntmr] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [ylosaxx] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [vvutonp] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [rfbtlhl] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [csgxfof] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [nqsooqm] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [sgdlquk] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [dbkmgrw] c:\windows\ytqpolh.exe O4 - HKCU\..\Run: [yubfgom] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [jigtpua] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nwhyrdw] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [lkvmyvf] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [rcvboew] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [ravokft] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nkkvwcr] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [hfxtxjp] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [nkigohe] c:\windows\rjgpjsa.exe O4 - HKCU\..\Run: [ncilvci] c:\windows\krftghp.exe O4 - HKCU\..\Run: [jbihyij] c:\windows\krftghp.exe O4 - HKCU\..\Run: [khxaojc] c:\windows\krftghp.exe O4 - HKCU\..\Run: [occamjm] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ujheakm] c:\windows\krftghp.exe O4 - HKCU\..\Run: [hmrlsfh] c:\windows\krftghp.exe O4 - HKCU\..\Run: [llsajew] c:\windows\krftghp.exe O4 - HKCU\..\Run: [mwlvxjj] c:\windows\krftghp.exe O4 - HKCU\..\Run: [biseeyl] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ndgnpfe] c:\windows\krftghp.exe O4 - HKCU\..\Run: [ppasohg] c:\windows\krftghp.exe O4 - HKCU\..\Run: [wfvwhka] c:\windows\krftghp.exe O4 - HKCU\..\Run: [civnrsx] c:\windows\krftghp.exe O4 - HKCU\..\Run: [afomidc] c:\windows\spcvoec.exe O4 - HKCU\..\Run: [qdujhin] c:\windows\spcvoec.exe O4 - HKCU\..\Run: [fbdoysk] c:\windows\spcvoec.exe O4 - HKCU\..\Run: [xrfdhas] c:\windows\spcvoec.exe O4 - HKCU\..\Run: [fadvvoq] c:\windows\shhpmek.exe O4 - HKCU\..\Run: [uxhlunp] c:\windows\shhpmek.exe O4 - HKCU\..\Run: [uttdhec] c:\windows\shhpmek.exe O4 - HKCU\..\Run: [vjllykv] c:\windows\fswsasv.exe O4 - HKCU\..\Run: [qjexqlw] c:\windows\fswsasv.exe O4 - HKCU\..\Run: [ryhsumv] c:\windows\fswsasv.exe O4 - HKCU\..\Run: [ohldvrn] c:\windows\ncvqatb.exe O4 - HKCU\..\Run: [joithjb] c:\windows\nvbiucj.exe O4 - HKCU\..\Run: [rinlrfk] c:\windows\nvbiucj.exe O4 - HKCU\..\Run: [shwhgqn] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [gosjhrj] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [xebhwai] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [wpsyhff] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [hutytid] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [jhcbsdp] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [qhbtxbb] c:\windows\aethrkf.exe O4 - HKCU\..\Run: [xfitjml] c:\windows\tlhdrcm.exe O4 - HKCU\..\Run: [cwyljkq] c:\windows\ddrxspq.exe O4 - HKCU\..\Run: [urhvhkv] c:\windows\ddrxspq.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/355//strpg.chm::/update.exe O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

08-24-2005, 08:47 PM	#10 (permalink)
Spoonie Registered User Join Date: Aug 2005 Posts: 13 OS: Win/XP	OK SUBS: I turned system restore off, HJT deleted the following, then Killboxed each file. O4 - HKCU\..\Run: [peftmpl] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [tqefflc] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [rbnxdpd] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [bfhgpiq] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [pkifhkn] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [ubamflw] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [aqcjrqa] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [ywimxdl] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [dewqede] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [nwudcsc] c:\windows\bhqojtb.exe O4 - HKCU\..\Run: [suusxng] c:\windows\ceygnys.exe O4 - HKCU\..\Run: [yumqusv] c:\windows\ceygnys.exe O4 - HKCU\..\Run: [knrcpxe] c:\windows\ceygnys.exe O4 - HKCU\..\Run: [rcnoqbx] c:\windows\ojloqcu.exe O4 - HKCU\..\Run: [gvdjcia] c:\windows\ojloqcu.exe O4 - HKCU\..\Run: [nbqjptj] c:\windows\ojloqcu.exe O4 - HKCU\..\Run: [ufbgqjx] c:\windows\ojloqcu.exe I left the C:\WINDOWS\SYSTEM32\pgsqpaaa.exe file which the new Kaspersky scan still reports as infected. Next I ran a Panda ActiveScan. Below is a fresh HJT log, Kaspersky log, & Panda log Logfile of HijackThis v1.99.1 Scan saved at 747 PM, on 8/24/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sfgate.com/ O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, August 24, 2005 18:52:23 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 25/08/2005 Kaspersky Anti-Virus database records: 136882 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 57122 Number of viruses found: 1 Number of infected objects: 1 Number of suspicious objects: 0 Duration of the scan process: 1993 sec Infected Object Name - Virus Name C:\WINDOWS\SYSTEM32\pgsqpaaa.exe Infected: Trojan-Downloader.Win32.CWS.g Scan process completed. Panda ActiveScan Incident Status Location Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe Adware:Adware/StartPage.AFK No disinfected C:\WINDOWS\SYSTEM32\shdocvn.dll Possible Virus. No disinfected C:\WINDOWS\temp\ASHeuristic\dllupdate.exe.vir

08-24-2005, 10:32 PM	#11 (permalink)
Spoonie Registered User Join Date: Aug 2005 Posts: 13 OS: Win/XP	Kaspersky scan log is clean. Panda Scan 3 files. Logfile of HijackThis v1.99.1 Scan saved at 9:23:20 PM, on 8/24/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sfgate.com/ O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122623011640 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, August 24, 2005 20:44:55 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 25/08/2005 Kaspersky Anti-Virus database records: 136890 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 57598 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 1990 sec No malware has been detected. The sections that have been scanned are CLEAN. Scan process completed. Panda Online Scan Results ------------------------- Incident Status Location Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe Adware:Adware/StartPage.AFK No disinfected C:\WINDOWS\SYSTEM32\shdocvn.dll Possible Virus. No disinfected C:\WINDOWS\temp\ASHeuristic\dllupdate.exe.vir

08-25-2005, 12:14 AM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,326 OS: N/A	Good work Self-help seems to be working well. You saved me a lot of work Have Killbox remove - C:\WINDOWS\SYSTEM32\shdocvn.dll Use these settings: Replace on Reboot Use Dummy end Explorer shell while killing file unregister dlll before deleting * if it's not grayed out After you have rebooted, run CleanUp! Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type sysdm.cpl & press Enter Select the System Restore Tab Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Weather Watcher - Free taskbar weather program that is free, malware free, and resource light. Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today? Last edited by sUBs; 08-25-2005 at 01:27 AM.

08-25-2005, 01:27 AM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,326 OS: N/A	Thanks for pointing that out.. DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK __________________ Question - what have you done for the community today?

08-25-2005, 01:37 AM	#15 (permalink)
Spoonie Registered User Join Date: Aug 2005 Posts: 13 OS: Win/XP	Thought so. Thanks again. Great site!!! Abssearch4u Resolved!!!!