Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help! HijackThis will not open


  • Please log in to reply
22 replies to this topic

#1 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 02 June 2006 - 12:37 PM

I downloaded the Zip file for HijackThis. I extracted it to its own folder. I put a shortcut on the desktop. I right clicked on it and clicked open. An information box opened and closed before I could read it. I tried to open the program again several times. It opened for a split second and closed. I tried to open it from the folder, same thing. I am using Windows XP. My browser is being hijacked as we speak. I am about ready to pitch the pc out the door. Sunny1

    Advertisements

Register to Remove


#2 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 02 June 2006 - 12:58 PM

Welcome to the forum :wavey:

Try this:

Links to Hijack This! v 1.99.1:

Hijack This! (© Merijn) at tools.radiosplace.com

Hijack This! (© Merijn) at spywarewarrior.com

<right-click> on one of the links above, and choose "Save target as", save it as "friday.exe" into the folder you currently have HijackThis! in.

Navigate to that folder, and <double-click> on the "friday.exe" file.

See if it will run.
:)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#3 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 02 June 2006 - 01:00 PM

Its me again. I opened the pc in safe mode. HijackThis opened fine. I retrieved a log.

Logfile of HijackThis v1.99.1
Scan saved at 2:39:54 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Loris\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\l8l60i3se8.dll
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe

#4 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 02 June 2006 - 01:18 PM

Thank you Micah_6:8
The Nasties were not looking to stop Friday.exe from running :rofl:
Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 3:05:52 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
C:\WINDOWS\System32\libsys32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\yejjfyf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\yejjfyfA.exe
C:\WINDOWS\ms075613-187714.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\defender25.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Loris\My Documents\HijackThis\Friday.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{319A9E64-1E5C-4862-BF4E-735E5BDD26F4}: NameServer = 66.19.192.200 216.126.128.40
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\p48q0el5ehq.dll
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe

#5 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 02 June 2006 - 02:31 PM

Please download Look2Me-Destroyer.exe to the Desktop.

-Close all windows before continuing.
-Double-click Look2Me-Destroyer.exe to run it.
-Put a check next to Run this program as a task.

You will receive a message saying: Look2Me-Destroyer will close and re-open…
Click OK
When Look2Me-Destroyer re-opens**, click the Scan for L2M button
(Desktop icons disappear, this is normal.)
Once the program is done scanning, click the Remove L2M button.

(**If Look2Me-Destroyer does not reopen, do the following:
Go to Start > Run, and type in: sc start schedule
Press: Enter)

When a Done Scanning message appears, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK
The computer will then shutdown.

Turn the computer back on.

Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

There are several other infections present.

You'll probably still have to use "friday.exe" for a bit.
:)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#6 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 02 June 2006 - 06:22 PM

Thanks Micah_6:8
Look2Me-Destroyer would not close and re-open. Even the Start>Run and type in sc start schedule did not restart it. So I borrowed a page from your book and downloaded it again and saved it as Tuesday.exe
So I have the Look2Me-Destroyer.txt followed by another HijackThis log


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/2/2006 7:56:07 PM

Infected! C:\WINDOWS\system32\q6rqlg9516.dll
Infected! C:\WINDOWS\system32\sJfrdm.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll
Infected! C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll
Infected! C:\WINDOWS\system32\acrsvc.dll
Infected! C:\WINDOWS\system32\alferror.dll
Infected! C:\WINDOWS\system32\axpmgr.dll
Infected! C:\WINDOWS\system32\donet.dll
Infected! C:\WINDOWS\system32\dyskmon.dll
Infected! C:\WINDOWS\system32\en8ql1l51.dll
Infected! C:\WINDOWS\system32\fOultrep.dll
Infected! C:\WINDOWS\system32\gp2ql3f51.dll
Infected! C:\WINDOWS\system32\h60q0gd5e60.dll
Infected! C:\WINDOWS\system32\hr6u05j9e.dll
Infected! C:\WINDOWS\system32\hrru0599e.dll
Infected! C:\WINDOWS\system32\ir24l5fq1.dll
Infected! C:\WINDOWS\system32\j60slgd7160.dll
Infected! C:\WINDOWS\system32\kvdlv1.dll
Infected! C:\WINDOWS\system32\l0l60a3sed.dll
Infected! C:\WINDOWS\system32\l4n40e5qeh.dll
Infected! C:\WINDOWS\system32\lv2009fme.dll
Infected! C:\WINDOWS\system32\lv4o09h3e.dll
Infected! C:\WINDOWS\system32\lvj4091qe.dll
Infected! C:\WINDOWS\system32\lvrq0995e.dll
Infected! C:\WINDOWS\system32\mvn0l95m1.dll
Infected! C:\WINDOWS\system32\mvrml9911.dll
Infected! C:\WINDOWS\system32\mzvidctl.dll
Infected! C:\WINDOWS\system32\r48s0el7ehq.dll
Infected! C:\WINDOWS\system32\rhcdll.dll
Infected! C:\WINDOWS\system32\sJfrdm.dll
Infected! C:\WINDOWS\system32\uzrvoica.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\sJfrdm.dll
C:\WINDOWS\system32\sJfrdm.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012948.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012956.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012960.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012963.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0012971.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013969.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll
C:\System Volume Information\_restore{A7D3969A-17E0-4085-880C-313C2F2A765D}\RP17\A0013976.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\acrsvc.dll
C:\WINDOWS\system32\acrsvc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\alferror.dll
C:\WINDOWS\system32\alferror.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\axpmgr.dll
C:\WINDOWS\system32\axpmgr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\donet.dll
C:\WINDOWS\system32\donet.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dyskmon.dll
C:\WINDOWS\system32\dyskmon.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en8ql1l51.dll
C:\WINDOWS\system32\en8ql1l51.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fOultrep.dll
C:\WINDOWS\system32\fOultrep.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gp2ql3f51.dll
C:\WINDOWS\system32\gp2ql3f51.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h60q0gd5e60.dll
C:\WINDOWS\system32\h60q0gd5e60.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr6u05j9e.dll
C:\WINDOWS\system32\hr6u05j9e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrru0599e.dll
C:\WINDOWS\system32\hrru0599e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir24l5fq1.dll
C:\WINDOWS\system32\ir24l5fq1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j60slgd7160.dll
C:\WINDOWS\system32\j60slgd7160.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kvdlv1.dll
C:\WINDOWS\system32\kvdlv1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l0l60a3sed.dll
C:\WINDOWS\system32\l0l60a3sed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l4n40e5qeh.dll
C:\WINDOWS\system32\l4n40e5qeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv2009fme.dll
C:\WINDOWS\system32\lv2009fme.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv4o09h3e.dll
C:\WINDOWS\system32\lv4o09h3e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvj4091qe.dll
C:\WINDOWS\system32\lvj4091qe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvrq0995e.dll
C:\WINDOWS\system32\lvrq0995e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvn0l95m1.dll
C:\WINDOWS\system32\mvn0l95m1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvrml9911.dll
C:\WINDOWS\system32\mvrml9911.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mzvidctl.dll
C:\WINDOWS\system32\mzvidctl.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r48s0el7ehq.dll
C:\WINDOWS\system32\r48s0el7ehq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rhcdll.dll
C:\WINDOWS\system32\rhcdll.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sJfrdm.dll
C:\WINDOWS\system32\sJfrdm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uzrvoica.dll
C:\WINDOWS\system32\uzrvoica.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5C636E6E-1EA7-4728-B7B9-3C4D85990C48}"
HKCR\Clsid\{5C636E6E-1EA7-4728-B7B9-3C4D85990C48}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A9D3A63F-061C-47D7-8549-C6934A767068}"
HKCR\Clsid\{A9D3A63F-061C-47D7-8549-C6934A767068}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{489919E2-9E61-43C5-8FA6-137871DEBAFC}"
HKCR\Clsid\{489919E2-9E61-43C5-8FA6-137871DEBAFC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5CAA5D53-98F6-404A-A2E5-81E0FEDC07E7}"
HKCR\Clsid\{5CAA5D53-98F6-404A-A2E5-81E0FEDC07E7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4DF55A78-AD08-4255-AC5A-0623F1DB5A33}"
HKCR\Clsid\{4DF55A78-AD08-4255-AC5A-0623F1DB5A33}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5ED71346-D822-4DEA-A4FA-7B5759256EBE}"
HKCR\Clsid\{5ED71346-D822-4DEA-A4FA-7B5759256EBE}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C310E2B3-F520-4922-AEBB-0C9900D0E3D8}"
HKCR\Clsid\{C310E2B3-F520-4922-AEBB-0C9900D0E3D8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E35DBF3D-9664-4B13-B610-621D224C2D58}"
HKCR\Clsid\{E35DBF3D-9664-4B13-B610-621D224C2D58}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9BA52B8F-3376-4A3A-9E93-2E03270E40DD}"
HKCR\Clsid\{9BA52B8F-3376-4A3A-9E93-2E03270E40DD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{23618C8D-05C8-467A-BF7C-9C2815A5C628}"
HKCR\Clsid\{23618C8D-05C8-467A-BF7C-9C2815A5C628}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AC444F57-86BB-4A14-B76C-DC99F2617A5A}"
HKCR\Clsid\{AC444F57-86BB-4A14-B76C-DC99F2617A5A}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Logfile of HijackThis v1.99.1
Scan saved at 8:03:14 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
C:\WINDOWS\System32\libsys32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\yejjfyf.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\yejjfyfA.exe
C:\WINDOWS\ms075613-187714.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\defender25.exe
C:\WINDOWS\system32\owinnqez.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Loris\My Documents\HijackThis\Friday.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe
O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\defender25.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe

#7 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 02 June 2006 - 06:40 PM

Look2Me-Destroyer would not close and re-open. Even the Start>Run and type in sc start schedule did not restart it. So I borrowed a page from your book and downloaded it again and saved it as Tuesday.exe

BRILLIANT!!! :thumbup:

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Run Hijack This! (or "friday.exe")
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe

F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe

O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe

O4 - HKLM\..\Run: [newname] C:\\newname25.exe

O4 - HKLM\..\Run: [yejjfyfA] C:\WINDOWS\yejjfyfA.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe

O4 - HKLM\..\Run: [ms075613-187714] C:\WINDOWS\ms075613-187714.exe

O4 - HKLM\..\Run: [w0989c85.dll] RUNDLL32.EXE w0989c85.dll,I2 0010750700989c85

O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe

O4 - HKLM\..\Run: [defender] C:\\defender25.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinnqez.exe GID003

O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe

O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinnqez.exe

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll

O23 - Service: aol software (Aol Software) - Unknown owner - C:\WINDOWS\smss.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yejjfyf.exe

Then click "Fix checked" and close Hijack This!.

Now, please go to:

Start --> Run

In the box type in services.msc then hit < Enter > (or click OK)

In the Name column look for:

aol software (Aol Software)

< Double-click > it.

In the dialogue box that pops up, check in the Path to executable box.

It should say: C:\WINDOWS\smss.exe

That's how to be sure you have the right one.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled.

Click Apply then OK

In the Name column look for:

Command Service (cmdService)

< Double-click > it.

In the dialogue box that pops up, check in the Path to executable box.

It should say: C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe

That's how to be sure you have the right one.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled.

Click Apply then OK

In the Name column look for:

Windows Overlay Components

< Double-click > it.

In the dialogue box that pops up, check in the Path to executable box.

It should say: C:\WINDOWS\yejjfyf.exe

That's how to be sure you have the right one.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled.

Click Apply then OK

Close the services.msc window.

Reboot in "safe" mode.

Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:

c:\defender25.exe <--- file

c:\keyboard25.exe <--- file

c:\newname25.exe <--- file

c:\program files\common files\svchostsys <--- FOLDER

c:\program files\webhancer <--- FOLDER

c:\windows\ms075613-187714.exe <--- file

c:\windows\smss.exe <--- file
(CAUTION: DELETE THIS "SMSS.EXE" FILE ONLY!!!)

c:\windows\sysc00.exe <--- file

c:\windows\system32\dmonwv.dll <--- file

c:\windows\system32\libsys32.exe <--- file

c:\windows\system32\owinnqez.exe <--- file

c:\windows\tg9yaxmgsibnyxrozw55 <--- FOLDER

c:\windows\yejjfyf.exe <--- file

c:\windows\yejjfyfa.exe <--- file

syslog32.exe <--- file

w0989c85.dll <--- file

Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).

Reboot in normal mode and "copy/paste" a new HijackThis! log file into this thread. :)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#8 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 03 June 2006 - 07:01 AM

This is the strangest experience ever with a computer. I tried to run HijackThis, no go. So I ran “Friday.exe. Browser windows started to pop up. I X’d them but they kept coming. I tried the “close group” option. The numbers went down then more popped up. At 61 windows I shut down the computer. I had to reboot in safe mode. It was as if the computer was demon possessed. It was bad.
It is getting better, slowly. I am still getting popups and unwanted browser windows. 6 at the moment.

HijackThis did not find:

O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe





I did not find
c:\program files\webhancer <--- FOLDER


Found c:\windows\system32\smss.exe I left it alone
c:\windows\smss.exe <--- file
(CAUTION: DELETE THIS "SMSS.EXE" FILE ONLY!!!)

Did not find
c:\windows\sysc00.exe <--- file
Found this file but it would not let me delete it. Access denied
c:\windows\system32\dmonwv.dll <--- file
Found this ones evil twin c:\windows\system32\owinqqez.exe I deleted it
c:\windows\system32\owinnqez.exe <--- file
Did not find
c:\windows\tg9yaxmgsibnyxrozw55 <--- FOLDER
Did not find
c:\windows\yejjfyf.exe <--- file
Did not find
c:\windows\yejjfyfa.exe <--- file
Did not find
syslog32.exe <--- file
Did not find
w0989c85.dll <--- file


HijackThis log as follows
Logfile of HijackThis v1.99.1
Scan saved at 8:06:31 AM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#9 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 03 June 2006 - 07:23 AM

Please download the trial version of Ewido anti-malware 3.5 from here:
Ewido 3.5
  • Install Ewido anti-malware.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.


______________________________
Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.

Please post:
  • Ewido log
  • A new HijackThis log
:)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#10 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 03 June 2006 - 09:25 AM

I will impliment your latest instuctions ASAP One other problem. I was checking out a Yahoo group I participate on. I was as happy as a mud puppy in a swamp when a box appeared in front of my face announcing that I had 30 seconds to save. It said This shutdown was initiated by NT AUTHORITY SYSTEM c:\windows\system32\lsass.exe has terminated unexpetedly statis code -1073741819 ISA shell [export version] encountered a problem and needed to close It shut off the computer and rebooted. When I logged on there was a box asking if I wanted to send or don't send an error report to microsoft. So I clicked send. It claimed it had sent the report so I clicked "more information" so I could figure out what the problem was. It came back with a box that said that The specified path does not exist. Check the path and try again. And now as I type this I have 8 intruder IE windows. Sunny1

    Advertisements

Register to Remove


#11 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 03 June 2006 - 02:17 PM

Hi again Micah_6:8

Sorry I took so long. Life happens B)

Ewido log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:54:08 PM, 6/3/2006
+ Report-Checksum: 93223CBD

+ Scan result:

HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2000478354-492894223-1957994488-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2000478354-492894223-1957994488-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[704] C:\WINDOWS\System32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\ac2_0003.exe -> Downloader.Small.cpu : Cleaned with backup
C:\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\ac2[1].txt -> Downloader.Agent.ahv : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\defender24[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\drsmartload46a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\drsmartload[2].exe -> Downloader.Adload.bt : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\Installer[2].exe -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\keyboard22[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\newname22[1].exe -> Hijacker.VB.no : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EF034WD\ZIGID003[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\comscore[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\defender22[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\defender25[1].exe -> Downloader.Adload.bx : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\drsmartload45a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\drsmartload[1].exe -> Downloader.Adload.bv : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\keyboard23[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\keyboard24[1].exe -> Backdoor.VB.ary : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\numbsoft[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\visfx500[1].exe -> Dropper.Agent.aie : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\6675IXQN\webnexmk[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\ac2_0003[1].exe -> Downloader.Small.cpu : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\comscore[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\defender23[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload44a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload849a[1].exe -> Downloader.Adload.bq : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\drsmartload849a[2].exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\keyboard25[1].exe -> Hijacker.StartPage.aju : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\QX3GGBIF\newname23[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\drift[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\drma[1].exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\newname24[1].exe -> Downloader.VB.adw : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\newname25[1].exe -> Downloader.VB.abm : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\reloc[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\USTU186A\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\daED.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\daF2.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\i5F.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\i68.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr1152 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr1F7E -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr2BEC -> Hijacker.VB.ij : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr2E8B -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr3ED4 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr4834 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr5968 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr5C78 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr612A -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr6AE0 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.fr72AB -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.frCE99 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Loris\Local Settings\Temp\temp.frD1BC -> Adware.Look2Me : Cleaned with backup
C:\drsmartload1.exe -> Downloader.Adload.bv : Cleaned with backup
C:\drsmartload849a.exe -> Downloader.Adload.bo : Cleaned with backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\numbsoft.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\Common Files\Μicrosoft\wuaclt.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\Program Files\Messenger\horelod.dll -> Downloader.Small.ctp : Cleaned with backup
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\Program Files\PECarlin\PECarlin.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\Snowball Wars\SnowballWars.exe -> Dropper.VB.mz : Cleaned with backup
C:\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup
C:\webnexmk.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\drsmartload849a.exe -> Downloader.Adload.bq : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\installerwnus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\services.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\smss.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\spoolsv.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\cool.exe -> Backdoor.SdBot : Cleaned with backup
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\f.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\lwintqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pkdsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pmdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pndsregj.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pndsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\ppdsregp.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\psdsregr.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rwinpqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\setup_57007.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_65506.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_78713.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\sgamk.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\swinlqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\swinoqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\twinoqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\w0035d51.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w01b38cf.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0266f11.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0989c85.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\ZICORN003.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\Temp\ac2_0004.exe -> Downloader.Small.cpu : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\Temp\i47.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\i5C.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\i8B.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\Temp\pre.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\TG9yaXMgSiBNYXRoZW55\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\yejjfyf.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\yejjfyfA.exe -> Hijacker.VB.ij : Cleaned with backup
C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 3:59:08 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


Thank you for your kindness. Isaiah 1:17 comes to mind Thank you for pleading the case of this widow and protecting me from the bad guys. :)

Sunny1

#12 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 03 June 2006 - 02:22 PM

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe

O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

Then click "Fix checked" and close Hijack This!.

Reboot in "safe" mode.

Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:

C:\WINDOWS\System32\escny.exe <-- file

C:\WINDOWS\TG9yaXMgSiBNYXRoZW55 <-- FOLDER

Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).

Reboot in normal mode and "copy/paste" a new HijackThis! log file into this thread. :)

Edited by Micah_6:8, 03 June 2006 - 02:59 PM.

Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#13 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 03 June 2006 - 04:44 PM

I did as instructed but the items are still in the HijackThis log

I did a search for escny.exe results were no file found except in
c:\windows\PREFETCH\escny.exe-38B4EEFA.pf
I put it in the recycle bin

HijackThis log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 6:28:17 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#14 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 03 June 2006 - 05:23 PM

  • Download Brute Force Uninstaller to your C:\
  • Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted, "fix" the items below with HijackThis! (if they still exist):

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oniqjxa.exe
  • Boot in "safe" mode, and run Ewido once more.
  • Boot in regular mode and post a new HijackThis! log.

Edited by Micah_6:8, 03 June 2006 - 07:16 PM.

Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#15 Sunny1

Sunny1

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 03 June 2006 - 10:37 PM

I did as instructed. Here is the latest HijackThis log I am going to sleep :wavey:
Sunny1

Logfile of HijackThis v1.99.1
Scan saved at 12:19:29 AM, on 6/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Loris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Related Topics



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users