 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
FTA_2004
Newbie
Joined: 11 Mar 2005
Last Visit: 13 Jun 2005
Posts: 3
|
 Posted: Tue Apr 05, 2005 5:25 pm Post subject: hijack this log reinstalled windows and still get pop-ups |
 |
|
Logfile of HijackThis v1.99.1
Scan saved at 9:05:42 PM, on 4/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\lftifye\kniq.exe
C:\WINDOWS\System32\lftifye\kniq.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\System32\qcnvp\tloerjal.exe
C:\WINDOWS\System32\iaji\ntpfgulu.exe
C:\WINDOWS\IEXPLOR.EXE
C:\WINDOWS\WinTask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\System32\vpnba\bwbbdtan.exe
C:\WINDOWS\System32\knudrl\ncwl.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\laneb.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\pbospd\wlyl.exe
C:\WINDOWS\System32\olii\gxadw.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\system\qwxtposhr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\rcdfunc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\RitzPix\Our_Pictures.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\oljni\quymqje.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tiffany\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {FAA33778-D9EF-4CB7-8384-8A8E000E7758} - C:\WINDOWS\System32\gfok.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ygqppvpei] C:\WINDOWS\System32\wukzer.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitevbs32.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [tloerjal] C:\WINDOWS\System32\qcnvp\tloerjal.exe
O4 - HKLM\..\Run: [quymqje] C:\WINDOWS\System32\oljni\quymqje.exe
O4 - HKLM\..\Run: [kniq] C:\WINDOWS\System32\lftifye\kniq.exe
O4 - HKLM\..\Run: [ntpfgulu] C:\WINDOWS\System32\iaji\ntpfgulu.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [bwbbdtan] C:\WINDOWS\System32\vpnba\bwbbdtan.exe
O4 - HKLM\..\Run: [ncwl] C:\WINDOWS\System32\knudrl\ncwl.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [sFsU3ng] laneb.exe
O4 - HKLM\..\Run: [xpjbend] C:\WINDOWS\System32\pflso\xpjbend.exe
O4 - HKLM\..\Run: [lrerjp] C:\WINDOWS\System32\xlidpoa\lrerjp.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [wlyl] C:\WINDOWS\System32\pbospd\wlyl.exe
O4 - HKLM\..\Run: [gxadw] C:\WINDOWS\System32\olii\gxadw.exe
O4 - HKLM\..\Run: [dhylwi] C:\WINDOWS\System32\gtnwlrdy\dhylwi.exe
O4 - HKLM\..\Run: [dlwag] C:\WINDOWS\System32\akwrrjcr\dlwag.exe
O4 - HKLM\..\Run: [AutoLoaderss3e1bdRVMXd] "C:\WINDOWS\System32\laneb.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [do38RhM9O] rcdfunc.exe
O4 - Startup: ShortKeys Lite.lnk = C:\Program Files\shortkey\SHORTKEY.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: RitzPix E-Z Print & Share.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/contents/tm2002/oneclick/TMSetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{127F2F4F-5C3C-4BDC-8F47-5F70E3DA0B20}: NameServer = 205.188.146.145
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dhylwigtnwlrdy - Unknown owner - C:\WINDOWS\System32\gtnwlrdy\dhylwi.exe
O23 - Service: dlwagakwrrjcr - Unknown owner - C:\WINDOWS\System32\akwrrjcr\dlwag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kniqlftifye - Unknown owner - C:\WINDOWS\System32\lftifye\kniq.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lrerjpxlidpoa - Unknown owner - C:\WINDOWS\System32\xlidpoa\lrerjp.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: quymqjeoljni - Unknown owner - C:\WINDOWS\System32\oljni\quymqje.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
_________________
Luke |
|
| Back to top |
|
 |
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
|
| Back to top |
|
|
FTA_2004
Newbie
Joined: 11 Mar 2005
Last Visit: 13 Jun 2005
Posts: 3
|
| Posted: Tue Apr 05, 2005 6:06 pm Post subject: |
|
|
Sorry about all the threads. After I did what was posted in the last thread, I could not get my computer to function at all, even I safe mode. I reinstalled windows; the most recently posted log is from after I did this.
_________________
Luke |
|
| Back to top |
|
|
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
| Posted: Tue Apr 05, 2005 11:12 pm Post subject: |
|
|
OK, sorry for the problem with that fix from first thread. It turns out that the tool disabled something it wasn't supposed to, and on a few machines windows was broke, again, sincerest apologies for that.
But, sadly, your still quite infected tho.
 Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.
 Please head over to either Trend Micro or Panda ActiveScan and do an online, free, full system scan. Be sure and have the 'Auto Clean' button checked.
Trend Micro
Panda ActiveScan
Go to: Start > Run > type " services.msc ", then click OK
Scroll down to see if any of the followinf services are listed:
dhylwigtnwlrdy
dlwagakwrrjcr
kniqlftifye
lrerjpxlidpoa
quymqjeoljni
If they are, for each one do the following:
Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled", click Apply, then OK.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.
Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Please go to 'Task Manager' by hitting Ctrl+Alt+Delete and 'End Task' on the following process(es):
C:\WINDOWS\System32\lftifye\kniq.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\System32\qcnvp\tloerjal.exe
C:\WINDOWS\System32\iaji\ntpfgulu.exe
C:\WINDOWS\WinTask.exe
C:\WINDOWS\System32\vpnba\bwbbdtan.exe
C:\WINDOWS\System32\knudrl\ncwl.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\laneb.exe
C:\WINDOWS\System32\pbospd\wlyl.exe
C:\WINDOWS\System32\olii\gxadw.exe
C:\WINDOWS\system\qwxtposhr.exe
C:\WINDOWS\System32\rcdfunc.exe
C:\WINDOWS\System32\oljni\quymqje.exe
Search for, and delete, if found, the following files/folders:
C:\WINDOWS\System32\lftifye<<<<---folder
C:\WINDOWS\System32\pacis.exe <<<--file
C:\WINDOWS\System32\qcnvp<<<<---folder
C:\WINDOWS\System32\iaji<<<<---folder
C:\WINDOWS\System32\vpnba<<<<---folder
C:\WINDOWS\System32\knudrl<<<<---folder
C:\WINDOWS\System32\exp.exe <<<--file
C:\WINDOWS\System32\laneb.exe <<<--file
C:\WINDOWS\System32\pbospd<<<<---folder
C:\WINDOWS\System32\olii<<<<---folder
C:\WINDOWS\system\qwxtposhr.exe <<<--file
C:\WINDOWS\System32\rcdfunc.exe <<<--file
C:\WINDOWS\System32\oljni<<<<---folder
C:\WINDOWS\System32\gfok.dll <<<--file
C:\WINDOWS\System32\wukzer.exe <<<--file
C:\windows\system32\elitevbs32.exe<<<--file
C:\WINDOWS\System32\qcnvp<<<<---folder
C:\WINDOWS\System32\iaji<<<<---folder
C:\WINDOWS\IEXPLOR.EXE <<<--file ***NOTE SPELLING
C:\WINDOWS\WinTask.exe <<<--file
C:\WINDOWS\System32\exp.exe <<<--file
C:\WINDOWS\System32\pflso<<<<---folder
C:\WINDOWS\System32\xlidpoa<<<<---folder
C:\WINDOWS\System32\gtnwlrdy<<<<---folder
C:\WINDOWS\System32\akwrrjcr<<<<---folder
rcdfunc.exe <<<--file
AUNPS2.DLL<<<--file
E6F1873B.DLL<<<--file
While still in 'Safe Mode', run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {FAA33778-D9EF-4CB7-8384-8A8E000E7758} - C:\WINDOWS\System32\gfok.dll (file missing)
O4 - HKLM\..\Run: [ygqppvpei] C:\WINDOWS\System32\wukzer.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitevbs32.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [tloerjal] C:\WINDOWS\System32\qcnvp\tloerjal.exe
O4 - HKLM\..\Run: [quymqje] C:\WINDOWS\System32\oljni\quymqje.exe
O4 - HKLM\..\Run: [kniq] C:\WINDOWS\System32\lftifye\kniq.exe
O4 - HKLM\..\Run: [ntpfgulu] C:\WINDOWS\System32\iaji\ntpfgulu.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [C:\WINDOWS\WinTask.exe] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [PopMark] C:\WINDOWS\WinTask.exe
O4 - HKLM\..\Run: [bwbbdtan] C:\WINDOWS\System32\vpnba\bwbbdtan.exe
O4 - HKLM\..\Run: [ncwl] C:\WINDOWS\System32\knudrl\ncwl.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [sFsU3ng] laneb.exe
O4 - HKLM\..\Run: [xpjbend] C:\WINDOWS\System32\pflso\xpjbend.exe
O4 - HKLM\..\Run: [lrerjp] C:\WINDOWS\System32\xlidpoa\lrerjp.exe
O4 - HKLM\..\Run: [wlyl] C:\WINDOWS\System32\pbospd\wlyl.exe
O4 - HKLM\..\Run: [gxadw] C:\WINDOWS\System32\olii\gxadw.exe
O4 - HKLM\..\Run: [dhylwi] C:\WINDOWS\System32\gtnwlrdy\dhylwi.exe
O4 - HKLM\..\Run: [dlwag] C:\WINDOWS\System32\akwrrjcr\dlwag.exe
O4 - HKLM\..\Run: [AutoLoaderss3e1bdRVMXd] "C:\WINDOWS\System32\laneb.exe"
O4 - HKCU\..\Run: [do38RhM9O] rcdfunc.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmaster.com/contents/tm2002/oneclick/TMSetup.cab
O23 - Service: dhylwigtnwlrdy - Unknown owner - C:\WINDOWS\System32\gtnwlrdy\dhylwi.exe
O23 - Service: dlwagakwrrjcr - Unknown owner - C:\WINDOWS\System32\akwrrjcr\dlwag.exe
O23 - Service: kniqlftifye - Unknown owner - C:\WINDOWS\System32\lftifye\kniq.exe
O23 - Service: lrerjpxlidpoa - Unknown owner - C:\WINDOWS\System32\xlidpoa\lrerjp.exe
O23 - Service: quymqjeoljni - Unknown owner - C:\WINDOWS\System32\oljni\quymqje.exe
Reboot into Normal mode and post a new HJT log please.
And again, sorry about that tool messing up windows on you, best as we try sometimes with these special tools it happens. Sorry your box had to be the one.
_________________
Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
