MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Please help get rid of spyware/trojans... (HijackThis Log Within)
October 18, 2019, 11:17:57 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
October 18, 2019, 11:17:57 AM

Login with username, password and session length
 Featured Sites:
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 Go Down Print
Author Topic: Please help get rid of spyware/trojans... (HijackThis Log Within)  (Read 4873 times)
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« on: April 04, 2006, 12:52:47 AM »

Hi there, I've posted here before and you guys did a fantastic job of helping me clean up my computer.  Now I'm actually on my roommate's computer doing this for her.  Recently this computer has been having some major issues...  most likely almost difinately due to spyware/malware/trojans. 

Whenever the computer is connected to the internet (which is almost always because we have cable modem, unless we unplug it) there are IE ads popping up almost constantly.  They aren't titled anything specific... just lots and lots of ads.. she used to use IE, but switched to FireFox because of this problem.  But, they still pop up, since IE doesnt have to be open for them to...  also, when we start the computer up and every once in awhile, junk gets automatically downloaded into her C: drive folder, which is definately a pain in the ass...

We have run scans in and out of safe mode with Ewido, Spybot S&D, and Spyware Doctor.

Anyways, what other information do you need?  We are running Windows XP on this computer...

Here's the HijackThis log.

Quote
Logfile of HijackThis v1.99.1
Scan saved at 7:41:44 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slk8x2peu.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\WINDOWS\win32092-52990925.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\omkufpoA.exe
C:\WINDOWS\system32\devldr32.exe
C:\windows\mousepad8.exe
C:\WINDOWS\errorhandler.exe
C:\Documents and Settings\Scribbles\My Documents\a?sembly\n?lookup.exe
C:\PROGRA~1\SKS~1\rundll.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Documents and Settings\Scribbles\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tficb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ebpglwm.exe
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nso5E.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57592FEF-E871-BE8B-0F74-BF8ED994CCC9} - C:\WINDOWS\system32\mbry.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmogpd.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [win32092-52990925] C:\WINDOWS\win32092-52990925.exe
O4 - HKLM\..\Run: [w002c59d.dll] RUNDLL32.EXE w002c59d.dll,I2 0001b6510002c59d
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [omkufpoA] C:\WINDOWS\omkufpoA.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad8.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard8.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Phudbr] C:\Documents and Settings\Scribbles\My Documents\a?sembly\n?lookup.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [Aohd] "C:\PROGRA~1\SKS~1\rundll.exe" -vt yazr
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\nstman.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Your help is appreciated more than you know!
Thanks!!

-Tessa
« Last Edit: April 04, 2006, 12:55:18 AM by Teskia » Logged

Help, my computer is asploding! ;-;
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: April 04, 2006, 03:40:25 AM »

Hi
You have the latest Qooligic infection.As yet its early days and there is no uninstaller for it yet so lets see how this goes


Download and Save Blacklight to a folder of its own:

We want to do an Expert scan, which also analyzes all folders on your system for hidden operations. To do this right-click the blbeta.exe file and use Create Shortcut. Next, right-click the new shortcut (which should be put in the same folder) and click Properties. In the Target box that indicates the location of the blbeta.exe, add a space and type /expert and then click{b] Apply and OK [/b]. It should look like this :
"C:\MY DOWNLOADS\blbeta.exe" /expert
Use this shortcut to run BlackLight.

Double-click blbeta.exe shortcut then accept the agreement, click > scan then > next

You'll see a list of all items found. If it displays any hidden processes, don't do anything with them yet. Just click on "Close". It will create a log in the folder that the executable is in.The log will look simular to this with the name fsbl.xxxxxxx.log (xxxxxx are numbers)

Copy and paste this log in your next reply. Don't choose the rename option yet!
Logged

An Australian Member of

EDDY
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #2 on: April 04, 2006, 06:09:22 AM »

Download and Save Blacklight to a folder of its own:

We want to do an Expert scan, which also analyzes all folders on your system for hidden operations. To do this right-click the blbeta.exe file and use Create Shortcut. Next, right-click the new shortcut (which should be put in the same folder) and click Properties. In the Target box that indicates the location of the blbeta.exe, add a space and type /expert and then click Apply and OK . It should look like this :
"C:\MY DOWNLOADS\blbeta.exe" /expert
Use this shortcut to run BlackLight.

Double-click blbeta.exe shortcut

We got this far, and the BlackLight window opened and says "F-Secure Blacklight was unable to aquire necessary privelages [SeDebugPrivelage]"

Also, the popups are popping up in FireFox now too.. dunno if that matters or not though.
Logged

Help, my computer is asploding! ;-;
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: April 04, 2006, 06:24:11 AM »

It may be this L2M infection? L2M removes the SeDebug Privilege from the administrators group.





Download L2mfix from one of these links:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop. Double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into your next reply here.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
« Last Edit: April 04, 2006, 06:44:24 AM by Pancake » Logged

An Australian Member of

EDDY
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #4 on: April 04, 2006, 06:38:38 AM »

http://www.pandawars.com/report.txt

There is a link to the report, 'cause it was too long to post in the reply.  Thanks.

Also, yes, the profile we're using has administrative privileges.
« Last Edit: April 04, 2006, 06:42:52 AM by Teskia » Logged

Help, my computer is asploding! ;-;
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: April 04, 2006, 07:05:10 AM »

Ok saw the log.Thanks.You can always just post long logs ones in bits...

Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem !! if on cable or satalite.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
Logged

An Australian Member of

EDDY
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #6 on: April 04, 2006, 07:33:38 AM »

Uploading them is easier for me... unless you would rather I post them in parts?

Anyway, here they are.

The L2Mfix log:
http://www.pandawars.com/log(report2).txt

The Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:22:01 AM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\win32092-52990925.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\omkufpoA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Scribbles\My Documents\a?sembly\n?lookup.exe
C:\PROGRA~1\SKS~1\rundll.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Scribbles\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tficb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ebpglwm.exe
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nst43.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57592FEF-E871-BE8B-0F74-BF8ED994CCC9} - C:\WINDOWS\system32\mbry.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmogpd.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [win32092-52990925] C:\WINDOWS\win32092-52990925.exe
O4 - HKLM\..\Run: [w002c59d.dll] RUNDLL32.EXE w002c59d.dll,I2 0001b6510002c59d
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [omkufpoA] C:\WINDOWS\omkufpoA.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad8.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard8.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname8.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Phudbr] C:\Documents and Settings\Scribbles\My Documents\a?sembly\n?lookup.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [Aohd] "C:\PROGRA~1\SKS~1\rundll.exe" -vt yazr
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\nstman.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
« Last Edit: April 04, 2006, 07:57:50 AM by Teskia » Logged

Help, my computer is asploding! ;-;
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: April 04, 2006, 07:52:36 AM »

Its best if you copy and post the logs here..The HJT one is far to hard to read the way it is.


Ok.The L2M has fixed the SeDebug Privilege so will you run that Blacklight again please.
Logged

An Australian Member of

EDDY
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #8 on: April 04, 2006, 07:58:44 AM »

Okay, sorry, edited that last post with the full hijackthis log.

Blacklight is running the scan now.
Logged

Help, my computer is asploding! ;-;
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #9 on: April 04, 2006, 08:00:27 AM »

04/04/06 02:54:23 [Info]: BlackLight Engine 1.0.35 initialized
04/04/06 02:54:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/04/06 02:54:24 [Note]: 7019 4
04/04/06 02:54:24 [Note]: 7005 0
04/04/06 02:54:28 [Note]: 7006 0
04/04/06 02:54:28 [Note]: 7022 0
04/04/06 02:54:29 [Note]: 7011 1780
04/04/06 02:54:29 [Note]: 7026 0
04/04/06 02:54:29 [Note]: 7026 0
04/04/06 02:54:29 [Note]: 7024 3
04/04/06 02:54:29 [Info]: Hidden process: C:\WINDOWS\system32\dvrxbr.exe
04/04/06 02:54:29 [Note]: 7024 3
04/04/06 02:54:29 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:54:29 [Note]: 7024 3
04/04/06 02:54:29 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:54:29 [Note]: 7024 3
04/04/06 02:54:29 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:54:29 [Note]: FSRAW library version 1.7.1015
04/04/06 02:54:32 [Error]: 5001 236404
04/04/06 02:54:54 [Note]: 7006 0
04/04/06 02:54:54 [Note]: 7022 0
04/04/06 02:54:54 [Note]: 7011 1780
04/04/06 02:54:54 [Note]: 7026 0
04/04/06 02:54:54 [Note]: 7026 0
04/04/06 02:54:54 [Note]: 7024 3
04/04/06 02:54:54 [Info]: Hidden process: C:\WINDOWS\system32\dvrxbr.exe
04/04/06 02:54:54 [Note]: 7024 3
04/04/06 02:54:54 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:54:54 [Note]: 7024 3
04/04/06 02:54:54 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:54:54 [Note]: 7024 3
04/04/06 02:54:54 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:54:54 [Note]: FSRAW library version 1.7.1015
04/04/06 02:55:09 [Error]: 5001 236404
04/04/06 02:55:18 [Note]: 7006 0
04/04/06 02:55:18 [Note]: 7022 0
04/04/06 02:55:18 [Note]: 7011 1780
04/04/06 02:55:18 [Note]: 7026 0
04/04/06 02:55:18 [Note]: 7026 0
04/04/06 02:55:19 [Note]: 7024 3
04/04/06 02:55:19 [Info]: Hidden process: C:\WINDOWS\system32\dvrxbr.exe
04/04/06 02:55:19 [Note]: 7024 3
04/04/06 02:55:19 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:55:19 [Note]: 7024 3
04/04/06 02:55:19 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:55:19 [Note]: 7024 3
04/04/06 02:55:19 [Info]: Hidden process: C:\WINDOWS\system32\tficb.exe
04/04/06 02:55:19 [Note]: FSRAW library version 1.7.1015
04/04/06 02:55:24 [Info]: Hidden file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ueeyh.exe
04/04/06 02:55:24 [Note]: 10002 1
04/04/06 02:56:08 [Note]: 4013 11665
04/04/06 02:56:08 [Note]: 4020 2587 524288
04/04/06 02:56:08 [Note]: 4018 2587 524288
04/04/06 02:56:08 [Note]: 4013 11665
04/04/06 02:56:08 [Note]: 4020 2587 524288
04/04/06 02:56:08 [Note]: 4018 2587 524288
04/04/06 02:56:14 [Note]: 4013 18108
04/04/06 02:56:14 [Note]: 4020 1863 2621440
04/04/06 02:56:14 [Note]: 4020 1863 2621440
04/04/06 02:56:14 [Note]: 4018 1863 2621440
04/04/06 02:56:14 [Note]: 4013 18108
04/04/06 02:56:14 [Note]: 4020 1863 2621440
04/04/06 02:56:14 [Note]: 4018 1863 2621440
04/04/06 02:57:33 [Info]: Hidden file: C:\WINDOWS\system32\dvrxbr.exe
04/04/06 02:57:33 [Note]: 10002 1
04/04/06 02:57:33 [Info]: Hidden file: C:\WINDOWS\system32\ebpglwm.exe
04/04/06 02:57:33 [Note]: 10002 1
04/04/06 02:57:34 [Info]: Hidden file: C:\WINDOWS\system32\jdrxrax.dll
04/04/06 02:57:34 [Note]: 10002 1
04/04/06 02:57:36 [Info]: Hidden file: C:\WINDOWS\system32\tficb.exe
04/04/06 02:57:36 [Note]: 10002 1
04/04/06 02:57:58 [Info]: Hidden file: C:\WINDOWS\brxer.dll
04/04/06 02:57:58 [Note]: 10002 1
04/04/06 02:59:29 [Note]: 7007 0
Logged

Help, my computer is asploding! ;-;
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #10 on: April 04, 2006, 08:26:10 AM »

Ok.Now run Blacklight again and choose Rename  these files.


04/04/06 02:55:24 [Info]: Hidden file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ueeyh.exe

04/04/06 02:57:33 [Info]: Hidden file: C:\WINDOWS\system32\ebpglwm.exe

04/04/06 02:57:34 [Info]: Hidden file: C:\WINDOWS\system32\jdrxrax.dll

04/04/06 02:57:58 [Info]: Hidden file: C:\WINDOWS\brxer.dll

04/04/06 02:57:36 [Info]: Hidden file: C:\WINDOWS\system32\tficb.exe

Click on "Next" and "Restart now" to restart your computer.

Post a new HJT log when done for further cleaning...
« Last Edit: April 04, 2006, 08:29:32 AM by Pancake » Logged

An Australian Member of

EDDY
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #11 on: April 05, 2006, 05:07:09 AM »

Logfile of HijackThis v1.99.1
Scan saved at 12:00:18 AM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\win32092-52990925.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\omkufpoA.exe
C:\WINDOWS\errorhandler.exe
C:\Documents and Settings\Scribbles\My Documents\a?sembly\n?lookup.exe
C:\PROGRA~1\SKS~1\rundll.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Scribbles\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tficb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ebpglwm.exe
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nst43.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57592FEF-E871-BE8B-0F74-BF8ED994CCC9} - C:\WINDOWS\system32\mbry.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmogpd.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [win32092-52990925] C:\WINDOWS\win32092-52990925.exe
O4 - HKLM\..\Run: [w002c59d.dll] RUNDLL32.EXE w002c59d.dll,I2 0001b6510002c59d
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [omkufpoA] C:\WINDOWS\omkufpoA.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad8.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard8.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname8.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Phudbr] C:\Documents and Settings\Scribbles\My Documents\a?sembly\n?lookup.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [Aohd] "C:\PROGRA~1\SKS~1\rundll.exe" -vt yazr
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: ueeyh.exe.ren
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\nstman.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
Logged

Help, my computer is asploding! ;-;
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #12 on: April 05, 2006, 05:41:18 AM »

Still more work to do to fix this nasty little beastie.....


Download FindQool, extract the files and place the FindQool folder in the  root directory, usually thats C:\

Open that folder and run Qlocate.bat, post the text of that log back here please..


Also :
Download  SilentRunners.vbs.
Run it. It generates a log, wait that the scan is complete. Copy/paste it here, please.
(If your antivirus queries the script, allow it to run. It's not malicious.)

-----------------------------------------------------------------

As we will be needing these later.......

Download Pocket Killbox

Download the trial version of Ewido Security Suite

When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu".

Launch Ewido Security Suite (there should be an icon on your desktop doubleclick it). The program will now go to the main screen. You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update ewido.
 http://www.ewido.net/en/download/updates/
Do not run a scan yet
Logged

An Australian Member of

EDDY
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #13 on: April 05, 2006, 05:59:26 AM »

Alrighty, here is the FindQool report :
       
           Wed 04/05/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.
Files found with locate com.
 
C:\WINDOWS\SYSTEM32\EBPGLWM.EXE
C:\WINDOWS\SYSTEM32\JDRXRAX.DLL
C:\WINDOWS\SYSTEM32\ITGBM.DAT
C:\WINDOWS\SYSTEM32\DVRXBR.EXE
C:\WINDOWS\SYSTEM32\TFICB.EXE
C:\WINDOWS\SYSTEM32\DMONWV.DLL
C:\WINDOWS\UNWN.EXE
C:\WINDOWS\NQOLCL.DAT
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\UEEYH.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
10/21/2005  02:04 AM             1,628 TabUserW.exe.lnk
04/04/2006  11:59 PM           127,488 ueeyh.exe
03/29/2006  02:43 AM           127,488 ueeyh.exe.ren
...
 
HKEY_LOCAL_MACHINE\software\qstat
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}
[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]
 
...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"cnvpbp"="C:\\WINDOWS\\system32\\dvrxbr.exe reg_run"
HKCU
"ykdqc"="C:\\WINDOWS\\system32\\dvrxbr.exe reg_run"
...
 
Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
   shell REG_SZ  Explorer.exe, C:\WINDOWS\system32\tficb.exe
   userinit REG_SZ  C:\WINDOWS\system32\userinit.exe,ebpglwm.exe
...
SWReg utility
Written by Bobbi Flekman
Logged

Help, my computer is asploding! ;-;
Teskia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 26


Bookmark and Share

View Profile
« Reply #14 on: April 05, 2006, 06:18:06 AM »

Here is the SilentRunners.vbs log:

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ykdqc" = "C:\WINDOWS\system32\dvrxbr.exe reg_run" [null data]
"Windows Registry Repair Pro" = "C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4" [file not found]
"Phudbr" = "C:\Documents and Settings\Scribbles\My Documents\a*sembly\n*lookup.exe" (unwritable string) [null data]
"NBJ" = ""C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]
"irssyncd" = "C:\WINDOWS\system32\irssyncd.exe" [file not found]
"CU2" = "C:\Program Files\Common Files\VCClient\VCMain.exe" [null data]
"CU1" = "C:\Program Files\Common Files\VCClient\VCClient.exe" [null data]
"Aohd" = ""C:\PROGRA~1\SKS~1\rundll.exe" -vt yazr" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"q8lg" = ""C:\WINDOWS\system32\slk8x2peu.exe"" [null data]
"cnvpbp" = "C:\WINDOWS\system32\dvrxbr.exe reg_run" [null data]
"win32092-52990925" = "C:\WINDOWS\win32092-52990925.exe" [null data]
"w002c59d.dll" = "RUNDLL32.EXE w002c59d.dll,I2 0001b6510002c59d" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"outlook" = "C:\Program Files\outlook\outlook.exe /auto" [file not found]
"omkufpoA" = "C:\WINDOWS\omkufpoA.exe" ["System Service"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"mousepad" = "C:\windows\mousepad8.exe" [file not found]
"keyboard" = "C:\windows\keyboard8.exe" [file not found]
"errorhandler" = "C:\WINDOWS\errorhandler.exe" ["System Service"]
"newname" = "C:\windows\newname8.exe" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "web compressor"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nst43.dll" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{57592FEF-E871-BE8B-0F74-BF8ED994CCC9}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mbry.dll" [null data]
{6001CDF7-6F45-471b-A203-0225615E35A7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\DH.dll" [null data]
{70F6A776-579A-4C95-BA88-134253907752}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "RieMon Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\irsmogpd.dll" [empty string]
{DAAC59E5-093D-4D24-A105-55BFE4ACDE14}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Yvakt Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\w9seq.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]


  I downloaded Pocket Kill and also , I already have Ewido Security Suite so I turned off the background guard and got the most recent updates
« Last Edit: April 05, 2006, 06:59:52 AM by Teskia » Logged

Help, my computer is asploding! ;-;
Pages: [1] 2 3 Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page November 21, 2018, 01:26:34 PM