# Solved: please help - can't remove this virus



## baileyear (Oct 25, 2005)

hi,

i think i've had some type of spyware virus for over month. im using XP and can only operate in Safe Mode w/Networking for the last few weeks or so.. it started with a bombardment of pop-ups (1800searchassistant, Winfixer, Internet Optimizer, Media Gateway, ect) until one day I couldn't get into my regular desktop at all or use any programs..

since then i started running in Safe Mode, started using Firefox, and downloaded Adaware and Spybot .. its helped a little, but still i can only operate in Safe Mode and can't use programs 

a friend said i need to clean out my registry or do something with MsConfig, but i dont know what i'm doing...

i found this site today - i just cleared my Java Cache, and just downloaded HiHackThis .. below is the logfile that came up

any help would be greatly appreciated!
jeff

Logfile of HijackThis v1.99.1
Scan saved at 3:13:08 PM, on 10/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.icannnews.com/cgi-bin/PopupV3?ID={90F09427-8A81-F069-23F6-6E1847617201}&type=normal&mSkip=1&rnd=17534
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BD1FFB8-6007-408C-2B70-4FB6003CF5CE} - C:\WINDOWS\System32\tkujn.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SDWin32 Class - {7E47DAE5-B574-4CEA-94A0-D4EE0F34467D} - C:\WINDOWS\System32\mfcoy.dll
O2 - BHO: (no name) - {BC8D1004-33E9-2171-30E1-069E31954807} - C:\WINDOWS\System32\rvobctiw\ybomnfql.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll (file missing)
O3 - Toolbar: 180search Toolbar - {93CECBB2-6B1B-448D-91B9-72604EF70105} - C:\Program Files\180search Assistant Programs\180search Toolbar\180ST.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [mediapluscash.exe] C:\WINDOWS\System32\mediapluscash.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\zantzr.exe reg_run
O4 - HKLM\..\Run: [auqixx] C:\WINDOWS\System32\qmiq\auqixx.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor
O4 - HKLM\..\Run: [ugsybyoq] C:\WINDOWS\System32\iargf\ugsybyoq.exe
O4 - HKLM\..\Run: [obfcnq] C:\WINDOWS\System32\gywbzp.exe r
O4 - HKLM\..\Run: [Media Gateway] C:\DOCUME~1\Jeff\LOCALS~1\Temp\MediaGateway.exe
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKLM\..\Run: [dcx] C:\WINDOWS\dcx.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: cnda.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O23 - Service: auqixxqmiq - Unknown owner - C:\WINDOWS\System32\qmiq\auqixx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVmZgAA\command.exe
O23 - Service: ugsybyoqiargf - Unknown owner - C:\WINDOWS\System32\iargf\ugsybyoq.exe


----------



## brendandonhu (Jul 8, 2002)

Download and install Ewido Security Suite
During the installation, under *Additional Options* uncheck:
_* Install background guard
* Install scan via context menu_
Run Ewido. Click *OK* if you get an error message reading "Database could not be found!".
Click *Update* on the left side of the screen. Now click *Start Update*.
When the update is finished, exit Ewido.

Download and install CleanUp!

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Run *Ewido*. Chose *Scanner*>>*Complete System Scan*
Fix any problems Ewido finds.
Click *Save Report* and save a copy of this log to your Desktop. Post the contents of that log here.

Run *CleanUp!*. Click the *CleanUp!* button.
Restart your computer.

Post a new HijackThis log.


----------



## baileyear (Oct 25, 2005)

thanks.. downloaded Ewido, but having trouble with the Update (when i click "Start Update", nothing happens) .. also, i'm only getting partial of the Ewido window - far right side of the screen cuts-off


----------



## brendandonhu (Jul 8, 2002)

Ok, continue with the instructions if Ewido won't run.
Also do an online virus scan and post the results.


----------



## baileyear (Oct 25, 2005)

ok, running the scans now.. will re-start the computer after they finish

also - when i ran HiJackThis, i didnt attempt to fix anything after the system scan, i just saved the logfile.. should click the "fix checked" button in HiJackThis?


----------



## brendandonhu (Jul 8, 2002)

No, just post it and we'll tell you what to fix.


----------



## baileyear (Oct 25, 2005)

Ewido scan just finished (didnt run CleanUp! or re-start yet) .. 

but after the Ewido scan, i'm getting this Warning message: The File "C:\Documents and Settings\Jeff\Local Settings\Temp\180SAAX.cab\clientax.dll" cannot be removed because its embedded in the archive "C:\Documents and Settings\Jeff\Local Settings\Temp\180SAAX.cab". Dou you want to remove the whole archive? ..... click YES or NO

it looks like 180 Search Assistant.. what should i do?


----------



## brendandonhu (Jul 8, 2002)

Click Yes.


----------



## baileyear (Oct 25, 2005)

ok, got a similar Warning message for "180saintscaller.exe" and removing the whole archive.. i clicked yes for that too and scan is finished... i'll run CleanUp! now..

trying to post the Ewido report, but its too long (63678 characters) .. should i post it in 2 seperate posts?


----------



## brendandonhu (Jul 8, 2002)

You can click "Post Reply" then "Manage Attachments" and upload it.


----------



## baileyear (Oct 25, 2005)

nothing happens when i click "Manage Attachments" .... CleanUp! is done.. re-starting windows now


----------



## brendandonhu (Jul 8, 2002)

In Firefox's preferences, uncheck *Block popup windows* and try Manage Attachments again.


----------



## baileyear (Oct 25, 2005)

ok,


----------



## baileyear (Oct 25, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 5:36:33 PM, on 10/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.icannnews.com/cgi-bin/PopupV3?ID={90F09427-8A81-F069-23F6-6E1847617201}&type=normal&mSkip=1&rnd=17534
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BD1FFB8-6007-408C-2B70-4FB6003CF5CE} - C:\WINDOWS\System32\tkujn.dll (file missing)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SDWin32 Class - {7E47DAE5-B574-4CEA-94A0-D4EE0F34467D} - C:\WINDOWS\System32\mfcoy.dll (file missing)
O2 - BHO: (no name) - {BC8D1004-33E9-2171-30E1-069E31954807} - C:\WINDOWS\System32\rvobctiw\ybomnfql.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll (file missing)
O3 - Toolbar: 180search Toolbar - {93CECBB2-6B1B-448D-91B9-72604EF70105} - C:\Program Files\180search Assistant Programs\180search Toolbar\180ST.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [auqixx] C:\WINDOWS\System32\qmiq\auqixx.exe
O4 - HKLM\..\Run: [ugsybyoq] C:\WINDOWS\System32\iargf\ugsybyoq.exe
O4 - HKLM\..\Run: [obfcnq] C:\WINDOWS\System32\gywbzp.exe r
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O23 - Service: auqixxqmiq - Unknown owner - C:\WINDOWS\System32\qmiq\auqixx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVmZgAA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ugsybyoqiargf - Unknown owner - C:\WINDOWS\System32\iargf\ugsybyoq.exe


----------



## baileyear (Oct 25, 2005)

trying the "online virus scan" now - through IE .... i haven't used IE since the virus started, so i hope this works out ok


----------



## brendandonhu (Jul 8, 2002)

Save or print these instructions in case you can't get online while fixing.

Start your computer in Safe Mode

Set Windows to Show all files.

Run *HijackThis* and click *Do a system scan only*.
Put a checkmark next to each of these entries and click *Fix Checked*.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.icannnews.com/cgi-bin/PopupV3?ID={90F09427-8A81-F069-23F6-6E1847617201}&type=normal&mSkip=1&rnd=17534

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O1 - Hosts: 216.39.69.102 view.atdmt.com

O2 - BHO: (no name) - {1BD1FFB8-6007-408C-2B70-4FB6003CF5CE} - C:\WINDOWS\System32\tkujn.dll (file missing)

O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll (file missing)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: SDWin32 Class - {7E47DAE5-B574-4CEA-94A0-D4EE0F34467D} - C:\WINDOWS\System32\mfcoy.dll (file missing)

O2 - BHO: (no name) - {BC8D1004-33E9-2171-30E1-069E31954807} - C:\WINDOWS\System32\rvobctiw\ybomnfql.dll

O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll (file missing)

O3 - Toolbar: 180search Toolbar - {93CECBB2-6B1B-448D-91B9-72604EF70105} - C:\Program Files\180search Assistant Programs\180search Toolbar\180ST.dll

O4 - HKLM\..\Run: [auqixx] C:\WINDOWS\System32\qmiq\auqixx.exe

O4 - HKLM\..\Run: [ugsybyoq] C:\WINDOWS\System32\iargf\ugsybyoq.exe

O4 - HKLM\..\Run: [obfcnq] C:\WINDOWS\System32\gywbzp.exe r

O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O23 - Service: ugsybyoqiargf - Unknown owner - C:\WINDOWS\System32\iargf\ugsybyoq.exe

Locate and delete these folders:
C:\WINDOWS\System32\rvobctiw\
C:\Program Files\180search Assistant Programs\
C:\Windows\System32\qmiq\
C:\Windows\System32\iargf\
c:\program files\180search assistant\

Reboot, and post a new HijackThis log. Still waiting on virus scan results.


----------



## baileyear (Oct 25, 2005)

virus scan progress is only at 42% .. going slow and might take awhile..... doing the other stuff in the meantime


----------



## baileyear (Oct 25, 2005)

here is the virus scan results (this is it right?) ... about to "Fix Checked" in HiJackThis

--

No Threats Detected!
Click on "Show" button to see more details

Virus Scan - (Risk Free) No Virus Detected [Hide]

Results: 
We have detected 0 infected files(s) with 0 virus(es) on your computer.

Trojan/Worm Check - (Risk Free) No Worm/Trojan Horse Detected [Hide]

What We Checked:
Malicious activity by a Trojan horse program. Although a Trojan seems 
like a harmless program, it contains malicious code and 
once installed can cause damage to your computer.

Results:
We have detected 0 Trojan horse programs(s) and worm(s) on your computer.


----------



## brendandonhu (Jul 8, 2002)

Yes, just need a new HijackThis log now.


----------



## baileyear (Oct 25, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 6:53:59 PM, on 10/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: auqixxqmiq - Unknown owner - C:\WINDOWS\System32\qmiq\auqixx.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVmZgAA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


----------



## brendandonhu (Jul 8, 2002)

Fix these in HijackThis and you should be clean
O23 - Service: auqixxqmiq - Unknown owner - C:\WINDOWS\System32\qmiq\auqixx.exe (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVmZgAA\command.exe (file missing)

How's your computer running?


----------



## baileyear (Oct 25, 2005)

oK .. it seems to be running OK! .. this is the first time in awhile im connected through my regular desktop (without being in SafeMode), however it seems to be running slower then it was in Safe Mode, but it might've been like that to begin with

im about to leave for a few hours, i dont have time to check everything and see how everything works, but the 1 or 2 things i did check (winamp, internet) seem to be ok.... is it ok if i come back to this thread in 3 or 4 hours in case something is wrong or if there is anything else?

i also had a question:

i deleted those folders from my programs files and from windows/system32 .. however, i went to "add/remove programs" in my control panel, and 180 Search Assistant still shows up there... i'll try to remove it later, but is that a problem? .. also, theres a MediaGateway folder in programs files.. should i delete that too?


thanks for the help so far... this site is a blessing!

thanks brendan


----------



## brendandonhu (Jul 8, 2002)

Yes, uninstall 180Search and delete the MediaGateway folder.


----------



## baileyear (Oct 25, 2005)

ok.. its running better, but i'm still encountering problems


1. when i first log into Windows, i recieve an Error message: AUN2SP.DLL - "Error loading AUNPS2.DLL .... the specific module could not be found"

2. after i click OK on the error message, my desktop loads up but 4 new "pop-up" icons started to appear on my desktop (Casino, Poker, ect) .. i remember this was happening before my initial "crash" and got hit with this 

3. i'm still getting some pop-ups.. theyre opening themselves up in Internet Explorer when i dont even have IE running

4. i recieved a second error message - "NSIS Error"


i feel like the root of the problem is still there, and may start multiplying again


----------



## brendandonhu (Jul 8, 2002)

Please download the l2mfix from
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


----------



## baileyear (Oct 25, 2005)

after i hit 1 and enter, got an error message "16 bit MS-DOS Subsystem" .. but i clicked "Ignore" and the notepad log opened.. heres the log

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{90F09427-8A81-F069-23F6-6E1847617201}"=""
"iebar"=" "
"acc=partos"=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F39BE444-9CD8-4869-BCB6-619055D1C9D2}"=""
"{A1F24AD3-B390-4FD8-9320-1EC88FE93D87}"=""
"{00000000-0007-5041-4354-0020e48020af}"="12Ghosts Popup-Killer"
"{00000000-0008-5041-4354-0020e48020af}"="12-Popup"
"{47D78C3B-BE39-4FD8-8936-2E4DE7349322}"=""
"{80C193BC-B14A-4C3A-B2AA-FCB3A1DB2B94}"=""
"{047020DA-FEEA-4DD4-A05F-B2CDFDD3701C}"=""
"{50D90707-8817-4869-99EE-B17901735ED2}"=""
"{4F0DA95A-AF5C-4FE6-9F4E-75FD2CDBF3BE}"=""
"{3E1714B2-EF07-4266-B07D-84D074A3EBDA}"=""
"{79BCB00E-2CAF-4EEB-B82B-8B4111819199}"=""
"{60C9E1DD-55B0-4C84-919E-A5890EBDBC0C}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
Volume in drive C has no label.
Volume Serial Number is 3067-7039

Directory of C:\WINDOWS\System32

09/09/2005 01:35 PM Microsoft
09/08/2005 09:46 AM 401,408 w?nword.exe
09/08/2005 09:44 AM 401,408 l?***.exe
09/07/2005 05:16 AM dllcache
2 File(s) 802,816 bytes
2 Dir(s) 1,847,721,984 bytes free


----------



## baileyear (Oct 25, 2005)

sorry for all the delays.. can i get more help on this? .. things are running better, but still having those couple of problems and i fear i'll get hit hard again... i cant stay right now, i'll be on tonight after 11pm (been very busy unexpectedly) .. sorry for delays


----------



## Flrman1 (Jul 26, 2002)

Go to the link below and download the trial version of SpySweeper:

http://www.webroot.com/consumer/downloads/?WRSID=f6c7b1c8a8033dbbe5e92cfba4f9d769

Install it then check for updates. Run a full system scan and let it fix everything it finds.

Restart your computer then come back here and post a new Hijack This log.


----------



## baileyear (Oct 25, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 5:55:49 AM, on 10/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\win3206305812085.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\xyteovas\emlmgu.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\l?***.exe
C:\Program Files\sasi\dmra.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [ytof] C:\WINDOWS\ytof.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor
O4 - HKLM\..\Run: [win3206305812085] C:\WINDOWS\win3206305812085.exe
O4 - HKLM\..\Run: [vhsamfp] c:\windows\system32\vhsamfp.exe -start
O4 - HKLM\..\Run: [ugsybyoq] C:\WINDOWS\System32\iargf\ugsybyoq.exe
O4 - HKLM\..\Run: [SWOD] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Pothw] C:\Program Files\Lqjbjiv\Yfujgk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [mfcoyc] C:\WINDOWS\System32\mfcoyc.exe
O4 - HKLM\..\Run: [kidexhf] C:\WINDOWS\System32\czegxr.exe r
O4 - HKLM\..\Run: [immin] C:\WINDOWS\mm15201518.a.Stub.exe
O4 - HKLM\..\Run: [Hcnzmw] C:\Program Files\Hpfljvz\Luebtp.exe
O4 - HKLM\..\Run: [emlmgu] C:\WINDOWS\System32\xyteovas\emlmgu.exe
O4 - HKLM\..\Run: [cC3SMFm] C:\WINDOWS\smybagpe.exe
O4 - HKLM\..\Run: [acnnrqa] C:\WINDOWS\System32\sdle\acnnrqa.exe
O4 - HKLM\..\Run: [:C=e] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [7EZs1fyo] C:\WINDOWS\bygibvr.exe
O4 - HKLM\..\Run: [0060] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Usoeuogg] C:\WINDOWS\System32\l?***.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor.exe
O4 - HKCU\..\Run: [ctle2d] C:\WINDOWS\System32\ctle2d.exe
O4 - HKCU\..\Run: [Tedi] "C:\Program Files\sasi\dmra.exe" -vt rbnd
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVmZgAA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## Flrman1 (Jul 26, 2002)

** Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.


Open Spysweeper and click on Options > Program Options.
Uncheck "load at windows startup". 
On the left click "shields" and then uncheck everything there. 
Uncheck "home page shield". 
Uncheck "automatically restore default without notification". 
Exit the program.
*Leave it disabled* until we are finished here.

*Download Cleanup from *Here* 

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu). 
Click the *Options...* button on the right. 
Move the arrow down to "*Custom CleanUp!*" 
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins 
Delete Cookies 
Cleanup! All Users 
Click *OK* 
 *DO NOT RUN IT YET*

* *Click Here* and download Killbox and save it to your desktop.

* *Click here* for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Cick on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

* Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find *Command Service*.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O4 - HKLM\..\Run: [ytof] C:\WINDOWS\ytof.exe

O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor

O4 - HKLM\..\Run: [win3206305812085] C:\WINDOWS\win3206305812085.exe

O4 - HKLM\..\Run: [vhsamfp] c:\windows\system32\vhsamfp.exe -start

O4 - HKLM\..\Run: [ugsybyoq] C:\WINDOWS\System32\iargf\ugsybyoq.exe

O4 - HKLM\..\Run: [SWOD] C:\WINDOWS\exe82.exe

O4 - HKLM\..\Run: [Pothw] C:\Program Files\Lqjbjiv\Yfujgk.exe

O4 - HKLM\..\Run: [mfcoyc] C:\WINDOWS\System32\mfcoyc.exe

O4 - HKLM\..\Run: [kidexhf] C:\WINDOWS\System32\czegxr.exe r

O4 - HKLM\..\Run: [immin] C:\WINDOWS\mm15201518.a.Stub.exe

O4 - HKLM\..\Run: [Hcnzmw] C:\Program Files\Hpfljvz\Luebtp.exe

O4 - HKLM\..\Run: [emlmgu] C:\WINDOWS\System32\xyteovas\emlmgu.exe

O4 - HKLM\..\Run: [cC3SMFm] C:\WINDOWS\smybagpe.exe

O4 - HKLM\..\Run: [acnnrqa] C:\WINDOWS\System32\sdle\acnnrqa.exe

O4 - HKLM\..\Run: [:C=e] C:\WINDOWS\exe82.exe

O4 - HKLM\..\Run: [7EZs1fyo] C:\WINDOWS\bygibvr.exe

O4 - HKLM\..\Run: [0060] C:\WINDOWS\exe82.exe

O4 - HKCU\..\Run: [Usoeuogg] C:\WINDOWS\System32\l?***.exe

O4 - HKCU\..\Run: [YourMonitor] C:\WINDOWS\YourMonitor.exe

O4 - HKCU\..\Run: [ctle2d] C:\WINDOWS\System32\ctle2d.exe

O4 - HKCU\..\Run: [Tedi] "C:\Program Files\sasi\dmra.exe" -vt rbnd*

Next in Hijack This click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Copy and paste the following line in that box:

*cmdService*

Click OK.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\ytof.exe

C:\WINDOWS\win3206305812085.exe

c:\windows\system32\vhsamfp.exe

C:\WINDOWS\System32\iargf\ugsybyoq.exe

C:\Program Files\Lqjbjiv\Yfujgk.exe

C:\WINDOWS\System32\mfcoyc.exe

C:\WINDOWS\System32\czegxr.exe

C:\WINDOWS\mm15201518.a.Stub.exe

C:\Program Files\Hpfljvz\Luebtp.exe

C:\WINDOWS\System32\xyteovas\emlmgu.exe

C:\WINDOWS\smybagpe.exe

C:\WINDOWS\System32\sdle\acnnrqa.exe

C:\WINDOWS\bygibvr.exe

C:\WINDOWS\exe82.exe

C:\WINDOWS\YourMonitor.exe

C:\WINDOWS\System32\ctle2d.exe

C:\Program Files\sasi\dmra.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Delete these folders:

C:\Program Files\*Lqjbjiv*
C:\Program Files\*Hpfljvz*
C:\Program Files\*sasi*
C:\WINDOWS\*SmVmZgAA*
C:\WINDOWS\System32\*sdle*
C:\WINDOWS\System32\*xyteovas*
C:\WINDOWS\System32\*iargf*

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. 
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## Flrman1 (Jul 26, 2002)

Also do this:

Download DelDomains.inf from *here*.

Rightclick DelDomains.inf and choose install.


----------



## baileyear (Oct 25, 2005)

sorry for more delays, i won't be on again until late tonight.. and might be like this for the next couple of days... thanks for all the help so far

Logfile of HijackThis v1.99.1
Scan saved at 3:33:21 PM, on 10/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

ActiveScan results

Incident Status Location

Adware:adware/cws No disinfected C:\Documents and Settings\Jeff\Favorites\LIVING\Find a Degree.lnk 
Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\SYSTEM32\bk.exe 
Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM32\ide21201.vxd 
Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\Searchx.htm 
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp 
Adware:adware/imgiant No disinfected C:\PROGRAM FILES\joystick networks 
Adware:adware/gator No disinfected Windows Registry 
Possible Virus. No disinfected C:\!KillBox\dmra.exe 
Virus:Trj/Downloader.BYN Disinfected C:\Documents and Settings\Temporary Internet Files\Content.IE5\7HRD8UNL\trk_0008[1].exe 
Virus:VBS/Psyme.C No disinfected C:\Documents and Settings\Temporary Internet Files\Content.IE5\PEOQRN6S\TRACK8[1].CHM[track8.htm] 
Possible Virus. No disinfected C:\Documents and Settings\Temporary Internet Files\Content.IE5\UAJJ8CXR\!update-2774[1].0000 
Virus:Bck/Agent.ANU Disinfected C:\Program Files\ScreenSaver Manager\ehlbomi.exe 
Virus:Trj/Downloader.BYN Disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8HQ3SHYV\!update-2504[1].0000 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8HQ3SHYV\!update-2514[1].0000 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8HQ3SHYV\!update-2574[1].0000 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CX6Z89MV\!update-2544[1].0000 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CX6Z89MV\!update-2554[1].0000 
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CX6Z89MV\!update-2564[1].0000 
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\shopinst.exe


----------



## Flrman1 (Jul 26, 2002)

* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\Documents and Settings\Jeff\Favorites\LIVING\Find a Degree.lnk

C:\WINDOWS\SYSTEM32\bk.exe

C:\WINDOWS\SYSTEM32\ide21201.vxd

C:\WINDOWS\SYSTEM32\Searchx.htm

C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp

C:\WINDOWS\system32\shopinst.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

* Restart back into Windows normally now.

* Run Kaspersky online virus scan *here*.

When the scan is finished, anything that it cannot clean have it delete it. 
- Save the results from the scan!

*Post a new HiJackThis log along with the results from Kaspersky scan*


----------



## baileyear (Oct 25, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 1:51:06 AM, on 10/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## baileyear (Oct 25, 2005)

Kasperspy results is too long.. added as an attachment


----------



## wdm2291 (Nov 5, 2004)

Hi baileyear,

You still have viruses/trojans that show up in the Kaspersky scan.

do a CTRL+ALT+DEL to open Task Manager and under running "processes" kill the following processes if you find them (click to select each and every occurance of every one of them and kill them (click "end process"):

*shopinst.exe*

*istdownload[1].exe* <-- or anything that looks like this, it might not have the 1, might have a 2 or some other number instead, kill it anyway

*istsvc.exe

102_marketingsector_4_0_3_7.exe

avtisa.exe

cxtpls_loader.exe

SetupYourEnhancement67.exe

skytown.exe*

Now do the following (these instructions partly copied from flrman1's post):

Copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Make sure all files are showing (Click Start, open "My Computer", select the Tools menu, and click "Folder Options". Select the "View" tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders." Uncheck the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click ok.

* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\!KillBox\shopinst.exe

C:\Documents and Settings\Temporary Internet Files\Content.IE5\PEOQRN6S\istdownload[1].exe

C:\WINDOWS\system32\102_marketingsector_4_0_3_7.exe

C:\WINDOWS\system32\avtisa.exe

C:\WINDOWS\system32\cxtpls_loader.exe

C:\WINDOWS\system32\SetupYourEnhancement67.exe

C:\WINDOWS\system32\skytown.exe*

Now clean out your temp files (Click Start, Run, and type in %temp% and hit Enter or click OK). This should open your Temp folder. Delete every file in there.

Now open Internet Explorer, click on the Tools menu, and then Internet Options. On the general tab (which you should be on when the box opens up), click on "Delete Files" and put a check in the "Delete all offline content" checkbox and click OK. This might take quite a while. Then click Ok to close the Properties box.

After this, run Cleanup and let it finish.

Then close cleanup and reboot

Now go back to kaspersky and do another scan:

http://www.kaspersky.com/virusscanner

Save the scan results and post them back here

Wayne


----------



## baileyear (Oct 25, 2005)

in my Task Manager, I didn't see any of those 7 running "processes" .. here are new results from Kaspersky scan


----------



## Flrman1 (Jul 26, 2002)

Go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## baileyear (Oct 25, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 1:33:35 PM, on 10/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Trend Micro Housecall Virus Scan0 virus cleaned, 0 virus deleted

Results:
We have detected 0 infected file(s) with 0 virus(es) on your 
computer. Only 0 out of 0 infected files are displayed: 
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken

Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a 
Trojan seems like a harmless program, it contains malicious 
code and once installed can cause damage to your computer. 
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your 
computer. Only 0 out of 0 Trojan horse programs and worms are 
displayed: - 0 worm(s)/Trojan(s) passed, 0 
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) 
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken

Spyware Check8 spyware programs removed

What we checked:
Whether personal information was tracked and reported by 
spyware. Spyware is often installed secretly with legitimate 
programs downloaded from the Internet. 
Results:
We have detected 8 spyware(s) on your computer. Only 0 out of 
0 spywares are displayed: - 0 spyware(s) passed, 0 
spyware(s) no action available
- 8 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_1020CookieRemoval successful
COOKIE_1198CookieRemoval successful
COOKIE_1802CookieRemoval successful
COOKIE_2798CookieRemoval successful
COOKIE_2842CookieRemoval successful
COOKIE_3182CookieRemoval successful
SPYW_DYFUCA.LSpywareRemoval successful
ADW_BLAZE.BAdwareRemoval successful

Microsoft Vulnerability CheckNo vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues 
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 0 vulnerability/vulnerabilities on your 
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix


----------



## wdm2291 (Nov 5, 2004)

Hi baileyear,

Your HijackThis log looks clean and that latest virus scan looks clean.

Please look to see if this folder is gone (if not, then delete it)

C:\*!KillBox*

Also, check to make sure the following folders are completely empty (if they aren't empty, then delete everything inside them. If you aren't able to, then boot to Safe Mode and try to empty them [the folders in bold]):

C:\Documents and Settings\Temporary Internet Files\Content.IE5\*PEOQRN6S*

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\*8HQ3SHYV*

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\*CX6Z89MV*

If these are all empty (and the !KillBox folder is gone), then, in normal mode, turn off System Restore - instructions here:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

Then reboot and turn System Restore back on and set a Restore Point.

How is everything running now?

You don't have Microsoft's service packs installed (SP1 and SP2). I strongly recommend you go to www.windowsupdate.com and download the service packs (SP2 has a lot of good security features).

Your Internet Explorer also needs updating as well (also at the windowsupdate site).

Also, you don't seem to have a firewall running. You definitely need one if your computer is online, and much more so if you have a broadband connection. There are a few excellent free ones you can download and install on your computer, such as:

ZoneAlarm: www.zonelabs.com

Sygate: http://smb.sygate.com/products/spf_standard.htm

Hope this helps,

Wayne


----------



## Flrman1 (Jul 26, 2002)

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

*IMPORTANT!:* I highly recommend that you go to *Windows update* and install all "Critical Updates and Service Packs" except for Service Pack 2 *ASAP!*. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates *IMMEDITELY!*

*Note:* At this time I do not recommend that you install Service Pack 2 until you have read the info at the following link and are sure that it is fully updated with the latest drivers etc..:

http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx


----------



## Flrman1 (Jul 26, 2002)

Also you do not have an antivirus. You need to get one ASAP! Try AVG free edition:

http://free.grisoft.com/doc/1


----------



## baileyear (Oct 25, 2005)

thanks flrman1 and wdm! .. everything is running great so far, but i havent had the time to stay on for a long period of time yet.. i should be able to check it more during the week... but as far as i know, everything is running smoothly

a couple things:

1. this folder doesn't exist in my temp internet files folder - C:\Documents and Settings\Temporary Internet Files\Content.IE5\PEOQRN6S .. i think i mightve accidentally deleted it awhile back

2. i went to the WindowsUpdate site.. but having trouble finding critical updates and service packs to download... im really kind of clueless, and i can only stay on for a couple minutes right now, but can't find anything on the site.. do you know where to look?

i didnt install an Anti-Virus yet.. i think not having one is why this happened.. a friend installed Ram for me, but didn't give me an anti-virus after he cleared everything.. i didn't know how to get one for free,, thanks for those sites, i'll check them out as soon as i can, but am i running a risk by not having one for the next couple of couple days even though my computer is turned off?

thanks


----------



## Flrman1 (Jul 26, 2002)

If you go to the Windows update site, it should first ask to install an ActiveX control. It will then scan for updates and display a list of the high priority updates for you.

The files in the Temporary Internet Files folder should have been deleted when you followed my last directions to delete them in Internet Options. 

You do need to get the antivirus ASAP.


----------



## wdm2291 (Nov 5, 2004)

You're welcome, baileyear,



baileyear said:


> 1. this folder doesn't exist in my temp internet files folder - C:\Documents and Settings\Temporary Internet Files\Content.IE5\PEOQRN6S .. i think i mightve accidentally deleted it awhile back


That's ok. Those folders inside the temp folders that have funny alphabet soup alphanumeric names (made up just of random capital letters and numbers (such as "PEOQRN6S" or "QTNPR8H2" ) can actually be deleted, and Windows will just create them again (with different, randomly generated names) when it thinks it needs more temp files space. ( I don't mean "Content.IE5" [don't delete THAT one], I mean the folders inside that folder with the alphabet soup names).

I'm *NOT* suggesting you delete *ANY* such temp folders if you don't know what you're doing or have any questions about which you could delete and which you couldn't. You're better off not deleting any folders, (except the ones the experts tell you to delete).



baileyear said:


> i didnt install an Anti-Virus yet.. i think not having one is why this happened.. a friend installed Ram for me, but didn't give me an anti-virus after he cleared everything.. i didn't know how to get one for free,, thanks for those sites, i'll check them out as soon as i can, but am i running a risk by not having one for the next couple of couple days even though my computer is turned off?
> thanks


If your computer is turned off, it can't pick up a virus, but when you do get back online, go get a free antivirus [like AVG] first thing (make that your first order of business if you possibly can).

Happy surfing :up:

Wayne


----------



## baileyear (Oct 25, 2005)

thanks a ton! .. everything is working great so far and you 3 guys really saved my ***..

1. i installed AVG

2. i updated at the Windows site a couple times.. how often should i do this? (never saw the word "service packs")

3. just curious, if i run my own Hi-Jack this log.. is there anything i should look out for? ... how do you guys locate the bad stuff?


----------



## Flrman1 (Jul 26, 2002)

1: :up:

2: You didn't see service pack 1 or service pack 2?

3: Save a log that you know is clean and compare new logs to is and take note of any changes. I don't recommend trying to fix things on your own. It takes quite a bit of experience to know how to remove a lot of the baddies. Some are simple, many are not.


----------



## Fanadril (Jan 25, 2007)

For those who "Still" have multiple Iexplorer.exe's running do this..... 

Check to see if you have Netpumper, Bitgrabber, or BitRoll installed in the "start > controlpanel > software > add/remove programs". If you have any of these installed, remove them, and then immediately check to see which of the following are also installed; 

CiD Help / CiD Manager 
Download Plugin for Internet Explorer 
Zone Media 

Delete any of these you have installed as well and if they request a verification code, put in the code it is displaying on the popup and this will unlock them, allowing you to delete them. 

I know this is against EVERYTHING they tell you about windows, but do a hard shutdown (I just unplugged my machine) and power back on. You should see the 2 iexplorer.exe's are gone! The problem is that the malware is bundled with Netpumper, Bitgrabber, and BitRoll, which are file share programs. After 6 months of having this problem, along with the @ssociated popups and excessive CPU usage, I am finally free of them!!! I hope this helps anyone still in need!


----------



## Flrman1 (Jul 26, 2002)

Hi Fanadril

Welcome to TSG! 

No offense to you, but this thread is very old so I'm closing it. Just a matter of procedure and keeping things tidy. Thanks for the info anyway.

FYI: The infection you describe/had is from a well known malware called LOP:

http://www.spywareinfo.com/articles/lop/


----------

