MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Trojan Horse at r?gedit.exe
November 14, 2019, 05:29:24 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 05:29:24 AM

Login with username, password and session length
 Featured Sites:
News
Welcome to MyTechSupport.ca! - Registration is FREE, so why not join our friendly community today?
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Trojan Horse at r?gedit.exe  (Read 1747 times)
Tom_with_a_Dream
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« on: September 28, 2005, 02:04:01 AM »

RELEVANT INFORMATION:
OpSys:  WinXP
App & Version:  AVG Free, v.7.0.344
Hardware:
Error Messages:  Only occassionally on startup, indicates a VIRSU DETECTED!  Trojan horse at E:\windows\system32\r?gedit.exe.  




The AVG software offers to HEAL, DELETE, and VIRUS VAULT the virus for me, but will do neighter HEAL nor VAULT (I haven't tried DELETE in case its a alegitimate file).  

When I run the AVG it detects a small handful of files and 9 of 10 times I can't do anything with them (HEAL, DELETE, etc).  Very frustrating.  

I have also run Spybot, though not lately do to busy work sched, etc, and never felt like it was worth my time, with many files not being cleared once found.  

I guess there is not a question in the above, but perhaps this is a common frustration and you can offer some advice.  

But my question is this:
I searched for, and have HIDDEN FILES unchecked, "*edit.exe" in my E:\windows\system32 folder.
The result:    eudcedit.exe   and   sysedit.exe.

Shouldn't there be a regedit.exe?  Or at least the VIRUS DETECTED r?gedit.exe file?  

Also, the PC is horribly slow and I suspect it is loaded up with garbage.  My time is such that a format and reload of all software and such is unreasonable and won't happen.  As I finish this post, AVG is 53 min into a check and has not found the startup DETECTED.  Is that significant?

I am 60% comfortable doing "IT stuf" to a computer, but only if the Registry is in the other 40%.  

Does any of this make sense?  Please help.
Tom
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #1 on: September 28, 2005, 02:39:14 PM »

Download HiJackThis.exe - this program will help us determine if there are any spyware/malware on your computer.  
Create a folder at C:\Program Files\HijackThis and move HiJackThis.exe there.  
Double click on the program to run it.

1. If it gives you an intro screen, just choose [Do a system scan and save a logfile].
2. If you don't get the intro screen, just hit [Scan] and then click on [Save log].
3. Post the HiJackThis.log file here.
Logged

 
Tom_with_a_Dream
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« Reply #2 on: October 04, 2005, 02:52:21 AM »

Here's the HiJackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 10:40:47 PM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\LEXBCES.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\VIRUSW~1\GRISOF~1\BETA02~1\avgamsvr.exe
E:\PROGRA~1\VIRUSW~1\GRISOF~1\BETA02~1\avgupsvc.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\fxssvc.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
E:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
E:\PROGRA~1\VIRUSW~1\GRISOF~1\BETA02~1\avgcc.exe
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
E:\Program Files\Accessories\Mouse\GE Dual Scroll Optical\Amoumain.exe
E:\Program Files\ATI Technologies\ATI HydraVision\HydraMD.exe
E:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
E:\Program Files\Games and Fun\iTunes by Apple\iTunesHelper.exe
E:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
E:\Program Files\QuickTime\qttask.exe
E:\PROGRA~1\ACCESS~1\KEYBOA~1\MEDIAKEY.EXE
E:\WINDOWS\system32\lexpps.exe
E:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
E:\Program Files\Typing Workshop Deluxe\KBOOST.EXE
E:\Program Files\AOL Instant Messenger\aim.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Games and Fun\iTunes by Apple\iTunes.exe
E:\PROGRA~1\ACCESS~1\KEYBOA~1\KBOSDCtl.EXE
E:\PROGRA~1\ACCESS~1\KEYBOA~1\KCodeMsg.EXE
E:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\PROGRA~1\MOZILL~2\FIREFOX.EXE
E:\Program Files\PC Management\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - E:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19AEA9BE-3478-249D-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {1EEA9540-7F8A-1564-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {32B13214-A0DE-BD39-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {46AEFD96-3605-7DB0-5135-3E3655EDFC94} - E:\WINDOWS\system32\hptfqg.dll (file missing)
O2 - BHO: (no name) - {4CC03610-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CC43510-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CC53610-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CC63510-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CC63610-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CCC3711-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SpyWare\SpyBot\SEARCH~1\SDHelper.dll
O2 - BHO: (no name) - {619FE645-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61E99640-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61E99E45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61E99F45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61E9E645-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61EA9F45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61EB9F45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61ED9045-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61ED9E45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61ED9F45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {62896051-ED3F-6DD0-8552-675508F47A49} - E:\WINDOWS\system32\odavynj.dll (file missing)
O2 - BHO: (no name) - {65D63605-E861-3A89-D505-675508F32B4D} - E:\WINDOWS\system32\xktyml.dll (file missing)
O2 - BHO: (no name) - {66A8A3BB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66A8ACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66A9A3BB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66A9ACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66A9AFBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66AAA3BB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66AEA3BB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66AEACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66AFACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66D2AEBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66D2AFBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66D3ACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66D3AEBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DCADBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DDADBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DDAEBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DEADBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DFAEBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {9EE81A0B-F0B6-9876-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {A6FDF4CE-6857-71EF-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D888F2CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D889F0CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D889F5CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D88AF2CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D88AF5CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D88BF5CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D88DF2CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D8FEF2CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D8FEF4CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {DF7EB017-2D83-3E32-8695-71A2DCF53ECC} - E:\WINDOWS\system32\kfk.dll (file missing)
O2 - BHO: (no name) - {E1E86B0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E86C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E86D0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E86E0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E96C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E96E0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EB6C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EB6D0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EC6D0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EE6B0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EE6C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EF6B0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EF6C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EF6E0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [C-Media Mixer] E:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "E:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] E:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [vjtffovzv] E:\WINDOWS\System32\peddsm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [g2nrun.exe] E:\documents and settings\tom\local settings\temp\g2nrun.exe
O4 - HKLM\..\Run: [28YJK@549SB8M2] E:\WINDOWS\System32\IpuFmd.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "E:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\VIRUSW~1\GRISOF~1\BETA02~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] E:\Program Files\Neato-Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [ViewMgr] E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [HydraVisionViewPort] E:\Program Files\ATI Technologies\ATI HydraVision\HydraMD.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] E:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\Games and Fun\iTunes by Apple\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaKey] E:\PROGRA~1\ACCESS~1\KEYBOA~1\MEDIAKEY.EXE
O4 - HKCU\..\Run: [TypingSatellite] "E:\Program Files\Typing Workshop Deluxe\KBOOST.EXE"
O4 - HKCU\..\Run: [Rkgha] E:\WINDOWS\system32\r?gedit.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AOL Instant Messenger\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Otet] E:\Program Files\coee\sweb.exe
O4 - Startup: AIM.lnk = E:\Program Files\AOL Instant Messenger\aim.exe
O4 - Startup: iTunes.lnk = E:\Program Files\Games and Fun\iTunes by Apple\iTunes.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - e:\PROGRA~1\PRODUC~1\MSACTI~1\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - e:\PROGRA~1\PRODUC~1\MSACTI~1\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - e:\PROGRA~1\PRODUC~1\MSACTI~1\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AOL Instant Messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://E:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url= http://www.viewpoint.com/cgi-bin/beta/vet_install_popup.pl?2&4&04.00.04.03& http://www.space.com/php/multimedia/zoomviewer/index.php?display_img=grandcanyon
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DEB5F42-7662-4C61-A6C8-DD362920343E}: NameServer = 208.236.36.3,208.236.38.3
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\VIRUSW~1\GRISOF~1\BETA02~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\VIRUSW~1\GRISOF~1\BETA02~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINDOWS\system32\LEXBCES.EXE

Thanks in advance for any help.  
I will note that I haven't seen the VIRUS DETECTED in a few days.  Here is the dialog box.  (Why is the html off?)
http://static.flickr.com/26/49209323_c4606c62ae.jpg
« Last Edit: October 04, 2005, 05:27:04 AM by sUBs » Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #3 on: October 04, 2005, 05:25:36 AM »

Hello and Welcome

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

eudcedit.exe & sysedit.exe are both legit files. The legitimate regedit.exe resides in the Windows directory. The one in system32 is malware. Use the method listed below to find the hidden malware file. (note - it may already be deleted by AVG)

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.
quote:
dir E:\WINDOWS\system32\r?gedit.exe /a h > files.txt notepad files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs.  Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.  

CleanUp.exe - Install.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
    Wild Tangent
    ViewPoint
    WeatherBug
    Ebates_MoeMoneyMaker    

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPEN WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - E:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {19AEA9BE-3478-249D-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {1EEA9540-7F8A-1564-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {32B13214-A0DE-BD39-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {46AEFD96-3605-7DB0-5135-3E3655EDFC94} - E:\WINDOWS\system32\hptfqg.dll (file missing)
O2 - BHO: (no name) - {4CC03610-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CC43510-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CC53610-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CC63510-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CC63610-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {4CCC3711-A4AC-BD0D-8D59-AD7F1018D7C5} - E:\WINDOWS\system32\foowe.dll
O2 - BHO: (no name) - {619FE645-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61E99640-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61E99E45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61E99F45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61E9E645-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61EA9F45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61EB9F45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61ED9045-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61ED9E45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {61ED9F45-08F8-155C-808E-504043E9FC9F} - E:\WINDOWS\system32\kbruz.dll (file missing)
O2 - BHO: (no name) - {62896051-ED3F-6DD0-8552-675508F47A49} - E:\WINDOWS\system32\odavynj.dll (file missing)
O2 - BHO: (no name) - {65D63605-E861-3A89-D505-675508F32B4D} - E:\WINDOWS\system32\xktyml.dll (file missing)
O2 - BHO: (no name) - {66A8A3BB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66A8ACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66A9A3BB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66A9ACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66A9AFBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66AAA3BB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66AEA3BB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66AEACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66AFACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66D2AEBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66D2AFBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66D3ACBB-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66D3AEBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DCADBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DDADBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DDAEBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DEADBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {66DFAEBA-300C-24A5-7875-3FB60C1FF1CB} - E:\WINDOWS\system32\oup.dll (file missing)
O2 - BHO: (no name) - {9EE81A0B-F0B6-9876-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {A6FDF4CE-6857-71EF-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D888F2CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D889F0CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D889F5CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D88AF2CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D88AF5CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D88BF5CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D88DF2CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D8FEF2CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {D8FEF4CA-6825-71DB-5986-6553020A13C2} - E:\WINDOWS\system32\hsxrsvy.dll (file missing)
O2 - BHO: (no name) - {DF7EB017-2D83-3E32-8695-71A2DCF53ECC} - E:\WINDOWS\system32\kfk.dll (file missing)
O2 - BHO: (no name) - {E1E86B0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E86C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E86D0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E86E0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E96C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1E96E0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EB6C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EB6D0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EC6D0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EE6B0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EE6C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EF6B0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EF6C0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O2 - BHO: (no name) - {E1EF6E0E-87B5-984E-980F-DDC81B8D2AC4} - E:\WINDOWS\system32\xcpsasa.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [vjtffovzv] E:\WINDOWS\System32\peddsm.exe
O4 - HKLM\..\Run: [28YJK@549SB8M2] E:\WINDOWS\System32\IpuFmd.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "E:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [ViewMgr] E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Rkgha] E:\WINDOWS\system32\r?gedit.exe
O4 - HKCU\..\Run: [Otet] E:\Program Files\coee\sweb.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://E:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -  https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url= http://www.viewpoint.com/cgi-bin/beta/vet_install_popup.pl?2&4&04.00.04.03& http://www.space.com/php/multimedia/zoomviewer/index.php?display_img=grandcanyon
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • E:\Program Files\Ebates_MoeMoneyMaker\
    E:\Program Files\coee\
Locate and delete the following files:
  • E:\WINDOWS\systb.dll
    E:\WINDOWS\system32\oup.dll
    E:\WINDOWS\system32\kbruz.dll
    E:\WINDOWS\system32\foowe.dll
    E:\WINDOWS\system32\hptfqg.dll
    E:\WINDOWS\system32\odavynj.dll
    E:\WINDOWS\system32\xktyml.dll
    E:\WINDOWS\system32\xcpsasa.dll
    E:\WINDOWS\system32\hsxrsvy.dll
    E:\WINDOWS\system32\kfk.dll
    E:\WINDOWS\System32\peddsm.exe
    E:\WINDOWS\System32\IpuFmd.exe
    E:\WINDOWS\system32\r?gedit.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Perform an online scan with Internet Explorer at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro
« Last Edit: October 04, 2005, 05:28:14 AM by sUBs » Logged

 
Tom_with_a_Dream
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« Reply #4 on: October 06, 2005, 02:23:07 PM »

Have subscribed, and will print/execute these instructions.  Not until weekend it appears, busy with loan/bank activiites.  

Thanks for all so far.
Logged

 
Tom_with_a_Dream
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« Reply #5 on: October 13, 2005, 02:27:31 AM »

Haven't forgotten.  Just not home long enough yet to print, digest, and accomplish all this.  Still on my list, and I am still getting virus warning every third or so log in (so I will be getting to this...).  Thanks again.
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #6 on: October 13, 2005, 02:33:46 AM »

Will await for news from you.

Please dont take too long. Malware has a bad habit of morphing
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 11, 2018, 06:48:16 AM