Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
Hi Guys,

I have this error 317 message that keeps popping up, and also tons of shortcut icons when I startup my computer that will not go away. I am posting my hijackthis log if someone could PLEASEEEE be kind enough to help.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:21:02 PM, on 10/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rqpdt\pjgn.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Microsoft\wircd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Win32Sys.exe
C:\WINDOWS\System32\winsup.exe
C:\WINDOWS\System32\winfix.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\imiffbp\adlpfk.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0271/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\MO\Application Data\Mozilla\Profiles\default\m6jugx8x.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MO\Application Data\Mozilla\Profiles\default\m6jugx8x.slt\prefs.js)
O1 - Hosts: 66.180.173.39 google.ae
O1 - Hosts: 66.180.173.39 google.am
O1 - Hosts: 66.180.173.39 google.as
O1 - Hosts: 66.180.173.39 google.at
O1 - Hosts: 66.180.173.39 google.az
O1 - Hosts: 66.180.173.39 google.be
O1 - Hosts: 66.180.173.39 google.bi
O1 - Hosts: 66.180.173.39 google.cd
O1 - Hosts: 66.180.173.39 google.cg
O1 - Hosts: 66.180.173.39 google.ch
O1 - Hosts: 66.180.173.39 google.ci
O1 - Hosts: 66.180.173.39 google.cl
O1 - Hosts: 66.180.173.39 google.co.cr
O1 - Hosts: 66.180.173.39 google.co.hu
O1 - Hosts: 66.180.173.39 google.co.il
O1 - Hosts: 66.180.173.39 google.co.in
O1 - Hosts: 66.180.173.39 google.co.je
O1 - Hosts: 66.180.173.39 google.co.jp
O1 - Hosts: 66.180.173.39 google.co.ke
O1 - Hosts: 66.180.173.39 google.co.kr
O1 - Hosts: 66.180.173.39 google.co.ls
O1 - Hosts: 66.180.173.39 google.co.nz
O1 - Hosts: 66.180.173.39 google.co.th
O1 - Hosts: 66.180.173.39 google.co.ug
O1 - Hosts: 66.180.173.39 google.co.ve
O1 - Hosts: 66.180.173.39 google.dj
O1 - Hosts: 66.180.173.39 google.dk
O1 - Hosts: 66.180.173.39 google.fi
O1 - Hosts: 66.180.173.39 google.fm
O1 - Hosts: 66.180.173.39 google.gg
O1 - Hosts: 66.180.173.39 google.gl
O1 - Hosts: 66.180.173.39 google.gm
O1 - Hosts: 66.180.173.39 google.hn
O1 - Hosts: 66.180.173.39 google.ie
O1 - Hosts: 66.180.173.39 google.it
O1 - Hosts: 66.180.173.39 google.kz
O1 - Hosts: 66.180.173.39 google.li
O1 - Hosts: 66.180.173.39 google.lt
O1 - Hosts: 66.180.173.39 google.lu
O1 - Hosts: 66.180.173.39 google.lv
O1 - Hosts: 66.180.173.39 google.mn
O1 - Hosts: 66.180.173.39 google.ms
O1 - Hosts: 66.180.173.39 google.mu
O1 - Hosts: 66.180.173.39 google.mw
O1 - Hosts: 66.180.173.39 google.nl
O1 - Hosts: 66.180.173.39 google.no
O1 - Hosts: 66.180.173.39 google.off.ai
O1 - Hosts: 66.180.173.39 google.pl
O1 - Hosts: 66.180.173.39 google.pn
O1 - Hosts: 66.180.173.39 google.pt
O1 - Hosts: 66.180.173.39 google.ro
O1 - Hosts: 66.180.173.39 google.ru
O1 - Hosts: 66.180.173.39 google.rw
O1 - Hosts: 66.180.173.39 google.se
O1 - Hosts: 66.180.173.39 google.sh
O1 - Hosts: 66.180.173.39 google.sk
O1 - Hosts: 66.180.173.39 google.sm
O1 - Hosts: 66.180.173.39 google.td
O1 - Hosts: 66.180.173.39 google.tm
O1 - Hosts: 66.180.173.39 google.tt
O1 - Hosts: 66.180.173.39 google.uz
O1 - Hosts: 66.180.173.39 google.vg
O1 - Hosts: 66.180.173.39 www.alexa.com alexa.com
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D75D9CF0-72C5-4E44-84E1-009965F673C4} - C:\WINDOWS\System32\abok.dll (file missing)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [yaupkmtb] C:\WINDOWS\System32\gbkpjal\yaupkmtb.exe
O4 - HKLM\..\Run: [Antiir Manager] winfix.exe
O4 - HKLM\..\Run: [Windows TM] Win32Sys.exe
O4 - HKLM\..\Run: [Sygates Personal Firewal] winsup.exe
O4 - HKLM\..\Run: [pjgn] C:\WINDOWS\System32\rqpdt\pjgn.exe
O4 - HKLM\..\Run: [Dash Once Clock Mode] C:\Documents and Settings\All Users\Application Data\Peakflapdashonce\32 lite.exe
O4 - HKLM\..\Run: [yfet] C:\WINDOWS\System32\sagq\yfet.exe
O4 - HKLM\..\Run: [adlpfk] C:\WINDOWS\System32\imiffbp\adlpfk.exe
O4 - HKLM\..\RunServices: [Windows TM] Win32Sys.exe
O4 - HKLM\..\RunServices: [Sygates Personal Firewal] winsup.exe
O4 - HKLM\..\RunServices: [Antiir Manager] winfix.exe
O4 - HKLM\..\RunServices: [WMI Application Interface] wmiapi.exe
O4 - HKLM\..\RunOnce: [Windows TM] Win32Sys.exe
O4 - HKCU\..\Run: [Windows TM] Win32Sys.exe
O4 - HKCU\..\Run: [Sygates Personal Firewal] winsup.exe
O4 - HKCU\..\Run: [Antiir Manager] winfix.exe
O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\RunOnce: [Windows TM] Win32Sys.exe
O8 - Extra context menu item: &Search - http://kb.bar.need2find.com/KB/menusearch.html?p=KB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://lovefreegames.aavalue.com/LFG/Toolbar/LFG-toolbar.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://reports.xpertonline.net/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O21 - SSODL: Network Load Monitor - {CC3E6789-0120-1A20-04B0-087AFF6D2EA4} - C:\WINDOWS\System32\uinc.dll
O23 - Service: adlpfkimiffbp - Unknown owner - C:\WINDOWS\System32\imiffbp\adlpfk.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: bgtpvnmlces - Unknown owner - C:\WINDOWS\System32\vnmlces\bgtp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: cdoeomapu - Unknown owner - C:\WINDOWS\System32\omapu\cdoe.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: msfesfsvxaag - Unknown owner - C:\WINDOWS\System32\svxaag\msfesf.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: pfqxxvwodyv - Unknown owner - C:\WINDOWS\System32\xvwodyv\pfqx.exe
O23 - Service: pjgnrqpdt - Unknown owner - C:\WINDOWS\System32\rqpdt\pjgn.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: FireDaemon Service: svchost1 (svchost1) - Unknown owner - C:\WINDOWS\system32\FireDaemon.EXE (file missing)
O23 - Service: UnrealIRCd - none - C:\WINDOWS\system32\Microsoft\wircd.exe
O23 - Service: utkgiubbgv - Unknown owner - C:\WINDOWS\System32\bbgv\utkgiu.exe
O23 - Service: FireDaemon Service: w2k (w2k) - Unknown owner - C:\WINDOWS\system32\Microsoft\CRYPTO\MLI\FireDaemon.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: yaupkmtbgbkpjal - Unknown owner - C:\WINDOWS\System32\gbkpjal\yaupkmtb.exe
O23 - Service: yfetsagq - Unknown owner - C:\WINDOWS\System32\sagq\yfet.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
You have a very bad infection on your hands. In the next pass, we wont be doing any fixing. We'll need to uncover some hidden files so that HijackThis can find them.


Please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK


Then download and unzip MADEbyOSC.zip

Run the file by doubleclicking metallica.bat
and post the log.
Do not reboot until someone has looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.
 

·
Registered
Joined
·
2 Posts
Discussion Starter · #3 ·
Next Step

Ok here is the info after running metallica...thanks much in advance

************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is 6336-63BC

Directory of C:\DOCUME~1\MO\LOCALS~1\Temp

10/13/2005 04:49 PM <DIR> Temporary Directory 1 for MADEbyOSC[1].zip
0 File(s) 0 bytes
1 Dir(s) 46,021,324,800 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C has no label.
Volume Serial Number is 6336-63BC

Directory of C:\DOCUME~1\MO\LOCALS~1\Temp

03/26/2005 03:09 PM <DIR> Cookies
05/03/2004 03:23 PM <DIR> History
05/03/2004 03:23 PM <DIR> Temporary Internet Files
0 File(s) 0 bytes
3 Dir(s) 46,021,320,704 bytes free
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

WinPfind.zip

TrackQoo.zip

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

Download the attchment I've placed on this post - sc.zip

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames listed below & then right-click & select Copy
  • C:\WINDOWS\System32\winfix.exe
    C:\WINDOWS\System32\Win32Sys.exe
    C:\WINDOWS\System32\winsup.exe
    C:\WINDOWS\System32\abok.dll
    C:\WINDOWS\System32\gbkpjal\yaupkmtb.exe
    C:\WINDOWS\System32\rqpdt\pjgn.exe
    C:\WINDOWS\System32\sagq\yfet.exe
    C:\WINDOWS\System32\imiffbp\adlpfk.exe
    C:\WINDOWS\System32\wmiapi.exe
    c:\counter.cab
    C:\WINDOWS\System32\imiffbp\adlpfk.exe
    C:\WINDOWS\System32\vnmlces\bgtp.exe
    C:\WINDOWS\System32\omapu\cdoe.exe
    C:\WINDOWS\System32\svxaag\msfesf.exe
    C:\WINDOWS\System32\xvwodyv\pfqx.exe
    C:\WINDOWS\System32\rqpdt\pjgn.exe
    C:\WINDOWS\system32\FireDaemon.EXE
    C:\WINDOWS\system32\Microsoft\wircd.exe
    C:\WINDOWS\System32\bbgv\utkgiu.exe
    C:\WINDOWS\system32\Microsoft\CRYPTO\MLI\FireDaemon.EXE
    C:\WINDOWS\System32\gbkpjal\yaupkmtb.exe
    C:\WINDOWS\System32\sagq\yfet.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • MBKWBar

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


From within sc.zip, double click on sc.bat & allow it to run.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0271/
O2 - BHO: (no name) - {D75D9CF0-72C5-4E44-84E1-009965F673C4} - C:\WINDOWS\System32\abok.dll (file missing)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [yaupkmtb] C:\WINDOWS\System32\gbkpjal\yaupkmtb.exe
O4 - HKLM\..\Run: [Antiir Manager] winfix.exe
O4 - HKLM\..\Run: [Windows TM] Win32Sys.exe
O4 - HKLM\..\Run: [Sygates Personal Firewal] winsup.exe
O4 - HKLM\..\Run: [pjgn] C:\WINDOWS\System32\rqpdt\pjgn.exe
O4 - HKLM\..\Run: [Dash Once Clock Mode] C:\Documents and Settings\All Users\Application Data\Peakflapdashonce\32 lite.exe
O4 - HKLM\..\Run: [yfet] C:\WINDOWS\System32\sagq\yfet.exe
O4 - HKLM\..\Run: [adlpfk] C:\WINDOWS\System32\imiffbp\adlpfk.exe
O4 - HKLM\..\RunServices: [Windows TM] Win32Sys.exe
O4 - HKLM\..\RunServices: [Sygates Personal Firewal] winsup.exe
O4 - HKLM\..\RunServices: [Antiir Manager] winfix.exe
O4 - HKLM\..\RunServices: [WMI Application Interface] wmiapi.exe
O4 - HKLM\..\RunOnce: [Windows TM] Win32Sys.exe
O4 - HKCU\..\Run: [Windows TM] Win32Sys.exe
O4 - HKCU\..\Run: [Sygates Personal Firewal] winsup.exe
O4 - HKCU\..\Run: [Antiir Manager] winfix.exe
O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe
O4 - HKCU\..\RunOnce: [Windows TM] Win32Sys.exe
O8 - Extra context menu item: &Search - http://kb.bar.need2find.com/KB/menusearch.html?p=KB
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://lovefreegames.aavalue.com/LF...LFG-toolbar.cab
O21 - SSODL: Network Load Monitor - {CC3E6789-0120-1A20-04B0-087AFF6D2EA4} - C:\WINDOWS\System32\uinc.dll
O23 - Service: adlpfkimiffbp - Unknown owner - C:\WINDOWS\System32\imiffbp\adlpfk.exe
O23 - Service: bgtpvnmlces - Unknown owner - C:\WINDOWS\System32\vnmlces\bgtp.exe
O23 - Service: cdoeomapu - Unknown owner - C:\WINDOWS\System32\omapu\cdoe.exe
O23 - Service: msfesfsvxaag - Unknown owner - C:\WINDOWS\System32\svxaag\msfesf.exe
O23 - Service: pfqxxvwodyv - Unknown owner - C:\WINDOWS\System32\xvwodyv\pfqx.exe
O23 - Service: pjgnrqpdt - Unknown owner - C:\WINDOWS\System32\rqpdt\pjgn.exe
O23 - Service: FireDaemon Service: svchost1 (svchost1) - Unknown owner - C:\WINDOWS\system32\FireDaemon.EXE (file missing)
O23 - Service: UnrealIRCd - none - C:\WINDOWS\system32\Microsoft\wircd.exe
O23 - Service: utkgiubbgv - Unknown owner - C:\WINDOWS\System32\bbgv\utkgiu.exe
O23 - Service: FireDaemon Service: w2k (w2k) - Unknown owner - C:\WINDOWS\system32\Microsoft\CRYPTO\MLI\FireDaemo n.EXE
O23 - Service: yaupkmtbgbkpjal - Unknown owner - C:\WINDOWS\System32\gbkpjal\yaupkmtb.exe
O23 - Service: yfetsagq - Unknown owner - C:\WINDOWS\System32\sagq\yfet.exe



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\WINDOWS\System32\gbkpjal\
    C:\WINDOWS\System32\rqpdt\
    C:\WINDOWS\System32\sagq\
    C:\WINDOWS\System32\imiffbp\
    C:\WINDOWS\System32\vnmlces\
    C:\WINDOWS\System32\omapu\
    C:\WINDOWS\System32\svxaag\
    C:\WINDOWS\System32\xvwodyv\
    C:\WINDOWS\system32\Microsoft\
    C:\WINDOWS\System32\bbgv\
    C:\WINDOWS\System32\gbkpjal\
    C:\WINDOWS\System32\sagq\
    C:\Documents and Settings\All Users\Application Data\Peakflapdashonce\
    C:\Program Files\MBKWBar\

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Double-click WinPFind.zip & extract the contents to a new folder at Drive C.

1. From within that folder, double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!

** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT AGAIN & Extract the contents of TrackQoo.zip & double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download fl.zip.
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
    [*] Ewido
    [*] WinPfind
    [*] TrackQoo1.vbs
    [*] Findlop.txt
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top