Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

hijack this log reinstalled windows and still get pop-ups

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
FTA_2004
Newbie


Joined: 11 Mar 2005
Last Visit: 13 Jun 2005
Posts: 3

PostPosted: Tue Apr 05, 2005 5:25 pm    Post subject: hijack this log reinstalled windows and still get pop-ups Reply with quote

Logfile of HijackThis v1.99.1
Scan saved at 9:05:42 PM, on 4/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\lftifye\kniq.exe
C:\WINDOWS\System32\lftifye\kniq.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\System32\qcnvp\tloerjal.exe
C:\WINDOWS\System32\iaji\ntpfgulu.exe
C:\WINDOWS\IEXPLOR.EXE
C:\WINDOWS\WinTask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\System32\vpnba\bwbbdtan.exe
C:\WINDOWS\System32\knudrl\ncwl.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\laneb.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\pbospd\wlyl.exe
C:\WINDOWS\System32\olii\gxadw.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\system\qwxtposhr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\rcdfunc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\RitzPix\Our_Pictures.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\oljni\quymqje.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tiffany\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {FAA33778-D9EF-4CB7-8384-8A8E000E7758} - C:\WINDOWS\System32\gfok.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ygqppvpei] C:\WINDOWS\System32\wukzer.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitevbs32.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [tloerjal] C:\WINDOWS\System32\qcnvp\tloerjal.exe
O4 - HKLM\..\Run: [quymqje] C:\WINDOWS\System32\oljni\quymqje.exe
O4 - HKLM\..\Run: [kniq] C:\WINDOWS\System32\lftifye\kniq.exe
O4 - HKLM\..\Run: [ntpfgulu] C:\WINDOWS\System32\iaji\ntpfgulu.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [bwbbdtan] C:\WINDOWS\System32\vpnba\bwbbdtan.exe
O4 - HKLM\..\Run: [ncwl] C:\WINDOWS\System32\knudrl\ncwl.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [sFsU3ng] laneb.exe
O4 - HKLM\..\Run: [xpjbend] C:\WINDOWS\System32\pflso\xpjbend.exe
O4 - HKLM\..\Run: [lrerjp] C:\WINDOWS\System32\xlidpoa\lrerjp.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [wlyl] C:\WINDOWS\System32\pbospd\wlyl.exe
O4 - HKLM\..\Run: [gxadw] C:\WINDOWS\System32\olii\gxadw.exe
O4 - HKLM\..\Run: [dhylwi] C:\WINDOWS\System32\gtnwlrdy\dhylwi.exe
O4 - HKLM\..\Run: [dlwag] C:\WINDOWS\System32\akwrrjcr\dlwag.exe
O4 - HKLM\..\Run: [AutoLoaderss3e1bdRVMXd] "C:\WINDOWS\System32\laneb.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [do38RhM9O] rcdfunc.exe
O4 - Startup: ShortKeys Lite.lnk = C:\Program Files\shortkey\SHORTKEY.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: RitzPix E-Z Print & Share.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/contents/tm2002/oneclick/TMSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{127F2F4F-5C3C-4BDC-8F47-5F70E3DA0B20}: NameServer = 205.188.146.145
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dhylwigtnwlrdy - Unknown owner - C:\WINDOWS\System32\gtnwlrdy\dhylwi.exe
O23 - Service: dlwagakwrrjcr - Unknown owner - C:\WINDOWS\System32\akwrrjcr\dlwag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kniqlftifye - Unknown owner - C:\WINDOWS\System32\lftifye\kniq.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lrerjpxlidpoa - Unknown owner - C:\WINDOWS\System32\xlidpoa\lrerjp.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: quymqjeoljni - Unknown owner - C:\WINDOWS\System32\oljni\quymqje.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
_________________
Luke
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Tue Apr 05, 2005 5:52 pm    Post subject: Reply with quote

OK, os is the log from here, or the machine:
http://www.spywarewarrior.com/viewtopic.php?p=72236&highlight=#72236

Please stop starting new threads.

Let me know.

This machine is still heavily infected. I am guessing you backed up oldf files and then reinstalled em again?
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
FTA_2004
Newbie


Joined: 11 Mar 2005
Last Visit: 13 Jun 2005
Posts: 3

PostPosted: Tue Apr 05, 2005 6:06 pm    Post subject: Reply with quote

Sorry about all the threads. After I did what was posted in the last thread, I could not get my computer to function at all, even I safe mode. I reinstalled windows; the most recently posted log is from after I did this.
_________________
Luke
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Tue Apr 05, 2005 11:12 pm    Post subject: Reply with quote

OK, sorry for the problem with that fix from first thread. It turns out that the tool disabled something it wasn't supposed to, and on a few machines windows was broke, again, sincerest apologies for that.

But, sadly, your still quite infected tho.

Arrow Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.


Exclamation Please head over to either Trend Micro or Panda ActiveScan and do an online, free, full system scan. Be sure and have the 'Auto Clean' button checked.
Trend Micro
Panda ActiveScan

Go to: Start > Run > type " services.msc ", then click OK

Scroll down to see if any of the followinf services are listed:
dhylwigtnwlrdy
dlwagakwrrjcr
kniqlftifye
lrerjpxlidpoa
quymqjeoljni



If they are, for each one do the following:
Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled", click Apply, then OK.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Arrow Please go to 'Task Manager' by hitting Ctrl+Alt+Delete and 'End Task' on the following process(es):
C:\WINDOWS\System32\lftifye\kniq.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\System32\qcnvp\tloerjal.exe
C:\WINDOWS\System32\iaji\ntpfgulu.exe
C:\WINDOWS\WinTask.exe
C:\WINDOWS\System32\vpnba\bwbbdtan.exe
C:\WINDOWS\System32\knudrl\ncwl.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\laneb.exe
C:\WINDOWS\System32\pbospd\wlyl.exe
C:\WINDOWS\System32\olii\gxadw.exe
C:\WINDOWS\system\qwxtposhr.exe
C:\WINDOWS\System32\rcdfunc.exe
C:\WINDOWS\System32\oljni\quymqje.exe


Arrow Search for, and delete, if found, the following files/folders:
C:\WINDOWS\System32\lftifye<<<<---folder
C:\WINDOWS\System32\pacis.exe <<<--file
C:\WINDOWS\System32\qcnvp<<<<---folder
C:\WINDOWS\System32\iaji<<<<---folder
C:\WINDOWS\System32\vpnba<<<<---folder
C:\WINDOWS\System32\knudrl<<<<---folder
C:\WINDOWS\System32\exp.exe <<<--file
C:\WINDOWS\System32\laneb.exe <<<--file
C:\WINDOWS\System32\pbospd<<<<---folder
C:\WINDOWS\System32\olii<<<<---folder
C:\WINDOWS\system\qwxtposhr.exe <<<--file
C:\WINDOWS\System32\rcdfunc.exe <<<--file
C:\WINDOWS\System32\oljni<<<<---folder
C:\WINDOWS\System32\gfok.dll <<<--file
C:\WINDOWS\System32\wukzer.exe <<<--file
C:\windows\system32\elitevbs32.exe<<<--file
C:\WINDOWS\System32\qcnvp<<<<---folder
C:\WINDOWS\System32\iaji<<<<---folder
C:\WINDOWS\IEXPLOR.EXE <<<--file ***NOTE SPELLING
C:\WINDOWS\WinTask.exe <<<--file
C:\WINDOWS\System32\exp.exe <<<--file
C:\WINDOWS\System32\pflso<<<<---folder
C:\WINDOWS\System32\xlidpoa<<<<---folder
C:\WINDOWS\System32\gtnwlrdy<<<<---folder
C:\WINDOWS\System32\akwrrjcr<<<<---folder
rcdfunc.exe <<<--file
AUNPS2.DLL<<<--file
E6F1873B.DLL<<<--file


Arrow While still in 'Safe Mode', run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)


O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O2 - BHO: (no name) - {FAA33778-D9EF-4CB7-8384-8A8E000E7758} - C:\WINDOWS\System32\gfok.dll (file missing)


O4 - HKLM\..\Run: [ygqppvpei] C:\WINDOWS\System32\wukzer.exe

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitevbs32.exe

O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe

O4 - HKLM\..\Run: [tloerjal] C:\WINDOWS\System32\qcnvp\tloerjal.exe

O4 - HKLM\..\Run: [quymqje] C:\WINDOWS\System32\oljni\quymqje.exe

O4 - HKLM\..\Run: [kniq] C:\WINDOWS\System32\lftifye\kniq.exe

O4 - HKLM\..\Run: [ntpfgulu] C:\WINDOWS\System32\iaji\ntpfgulu.exe

O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE

O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe

O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe

O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe

O4 - HKLM\..\Run: [bwbbdtan] C:\WINDOWS\System32\vpnba\bwbbdtan.exe

O4 - HKLM\..\Run: [ncwl] C:\WINDOWS\System32\knudrl\ncwl.exe

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe

O4 - HKLM\..\Run: [sFsU3ng] laneb.exe

O4 - HKLM\..\Run: [xpjbend] C:\WINDOWS\System32\pflso\xpjbend.exe

O4 - HKLM\..\Run: [lrerjp] C:\WINDOWS\System32\xlidpoa\lrerjp.exe

O4 - HKLM\..\Run: [wlyl] C:\WINDOWS\System32\pbospd\wlyl.exe

O4 - HKLM\..\Run: [gxadw] C:\WINDOWS\System32\olii\gxadw.exe

O4 - HKLM\..\Run: [dhylwi] C:\WINDOWS\System32\gtnwlrdy\dhylwi.exe

O4 - HKLM\..\Run: [dlwag] C:\WINDOWS\System32\akwrrjcr\dlwag.exe

O4 - HKLM\..\Run: [AutoLoaderss3e1bdRVMXd] "C:\WINDOWS\System32\laneb.exe"

O4 - HKCU\..\Run: [do38RhM9O] rcdfunc.exe



O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)


O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab

O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/contents/tm2002/oneclick/TMSetup.cab


O23 - Service: dhylwigtnwlrdy - Unknown owner - C:\WINDOWS\System32\gtnwlrdy\dhylwi.exe

O23 - Service: dlwagakwrrjcr - Unknown owner - C:\WINDOWS\System32\akwrrjcr\dlwag.exe

O23 - Service: kniqlftifye - Unknown owner - C:\WINDOWS\System32\lftifye\kniq.exe

O23 - Service: lrerjpxlidpoa - Unknown owner - C:\WINDOWS\System32\xlidpoa\lrerjp.exe

O23 - Service: quymqjeoljni - Unknown owner - C:\WINDOWS\System32\oljni\quymqje.exe


Arrow Reboot into Normal mode and post a new HJT log please.

And again, sorry about that tool messing up windows on you, best as we try sometimes with these special tools it happens. Sorry your box had to be the one.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group