Author Topic: some help cleaning up F***ing malware (Read 592 times)

bonedoc · « **on:** November 12, 2005, 10:02:08 PM »

any and all help is appreciated. I believe my problem is:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqaawi.exe reg_run
O4 - HKLM\..\Run: [oedaeeh] C:\WINDOWS\oedaeeh.exe
and the stupid web-nexus thing.
THanks a bunch
chris
--------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:58:38 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {B811A8D9-94B3-9534-136A-74D4345106D1} - C:\WINDOWS\Oqulumfr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqaawi.exe reg_run
O4 - HKLM\..\Run: [oedaeeh] C:\WINDOWS\oedaeeh.exe
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXM\command.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

guestolo · « **Reply #1 on:** November 12, 2005, 11:17:51 PM »

Can you do the following please

Download Trackqoo.zip
Save it to the Desktop

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post

Also, Download Find-Qoologic.zip and save it to your Desktop.

UNZIP the files inside into their own folder called FindQoologic to the desktop

Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply

bonedoc · « **Reply #2 on:** November 14, 2005, 08:16:21 PM »

here are the results from both programs. Thanks for helping
____

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"DVDTray"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDTray.exe\""
"nForce Tray Options"="sstray.exe /r"
"APD123"="C:\\WINDOWS\\system32\\APD123.exe"
"DVDBitSet"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HPHUPD06"="C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"winsync"="C:\\WINDOWS\\system32\\pqaawi.exe reg_run"
"oedaeeh"="C:\\WINDOWS\\oedaeeh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll

Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG7\avgse.dll

Subkey --- EzCddax
{46E22146-59C0-4136-9233-52E412E2B428}
C:\Program Files\Easy CD-DA Extractor 8\ezcddax8.dll

Subkey --- msyyfnqm
{9ea60b27-572a-4dcd-a993-c8919caf377c}
C:\WINDOWS\system32\kqmmf.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
owzz.exe
==============================
C:\Documents and Settings\chris\Start Menu\Programs\Startup

desktop.ini
owzz.exe
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
ImageDrive.cpl Ahead Software AG
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sscpl.cpl NVIDIA Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
------------------------------------------

Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\OWZZ.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
owzz.exe

User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...

C:\WINDOWS\SYSTEM32\VGACTL.CPL
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
C:\WINDOWS\NECCVO.DAT
C:\WINDOWS\SYSTEM32\PQAAWI.EXE
C:\WINDOWS\SYSTEM32\WGUUP.DAT
C:\WINDOWS\SYSTEM32\KQMMF.DLL
C:\WINDOWS\SYSTEM32\ISPPEOA.DLL
C:\WINDOWS\SYSTEM32\JVVVFSC.EXE
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\OWZZ.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msyyfnqm]
@="{9ea60b27-572a-4dcd-a993-c8919caf377c}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
[HKEY_LOCAL_MACHINE\Software\qstat]
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"="C:\\WINDOWS\\system32\\pqaawi.exe reg_run"
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

guestolo · « **Reply #3 on:** November 14, 2005, 10:02:52 PM »

I need you too download a few tools please

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run it yet

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Download Pocket Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe
http://www.atribune.org/downloads/KillBox.exe
In the event you have killbox, I need you too download this version

Download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
But make sure you include Regedit4
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_CLASSES_ROOT\CLSID\{9ea60b27-572a-4dcd-a993-c8919caf377c}]

[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msyyfnqm]

[-HKEY_LOCAL_MACHINE\Software\qstat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APD123"=-
"winsync"=-
"oedaeeh"=-

Please Save these next instructions to a Notepad file and save it to your Desktop for reference
I need you to disconnect from the Internet

I also need you to disable Ad-aware's Adwatch as it will probably get in the way of any fixes we try
You can reenable it once we know your clean
Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both options.

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for an alternative method

Once in safe mode
Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Go to START>>RUN>>copy and paste the following into the Open box and hit OK
sc stop cmdService

and then do the same for this one
sc delete cmdService

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

Paths to file names below
===============================
C:\WINDOWS\Oqulumfr.dll
C:\WINDOWS\system32\APD123.exe
C:\WINDOWS\system32\pqaawi.exe
C:\WINDOWS\oedaeeh.exe
C:\WINDOWS\Q2hyaXM\command.exe
C:\WINDOWS\SYSTEM32\VGACTL.CPL
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
C:\WINDOWS\NECCVO.DAT
C:\WINDOWS\SYSTEM32\PQAAWI.EXE
C:\WINDOWS\SYSTEM32\WGUUP.DAT
C:\WINDOWS\SYSTEM32\KQMMF.DLL
C:\WINDOWS\SYSTEM32\ISPPEOA.DLL
C:\WINDOWS\SYSTEM32\JVVVFSC.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\owzz.exe
C:\Documents and Settings\chris\Start Menu\Programs\Startup\owzz.exe
============================================
Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files.

Find and delete this folder if found
C:\WINDOWS\Q2hyaXM <-this folder

Stay in safe mode
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - {B811A8D9-94B3-9534-136A-74D4345106D1} - C:\WINDOWS\Oqulumfr.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe

O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on fix.reg and allow to Merge to the registry

Reboot back to Normal mode

I need to see a few logs, please post them all

1..Run hijackthis again and post a fresh log
2..Post the Whole Report from Ewido's you saved earlier
3.. Run FindQoologic.bat again, choosing option 1 and post the contents of the text file
4. The entire contents of the log.txt file in the aproposfix folder.

bonedoc · « **Reply #4 on:** November 16, 2005, 10:57:12 PM »

heres the info. If you ever need any orthopedic surgery advice, feel free to ask

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Logfile of HijackThis v1.99.1
Scan saved at 10:53:06 PM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

---------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         10:43:10 PM, 11/16/2005
+ Report-Checksum:      DE1BCE50

+ Scan result:

   No infected objects found.

::Report End

-------------------------------------------

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\chris\Desktop\aproposfix

************

Registry entries found:

************

No service found!

Removing hidden folder:
No folder found!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

Done!

Finished!
-----------------------------------

Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini

User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...

C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

guestolo · « **Reply #5 on:** November 16, 2005, 11:36:49 PM »

Hello again bonedoc

Still need to get rid of a file

Can you open Hijackthis>>Open Misc tools section>>Open "Delete File on Reboot"
In the File name field copy and paste the next text in bold and click the OPEN button

C:\WINDOWS\SYSTEM32\WUAUCLT.DLL

Hijackthis should prompt you the file will be deleted on Reboot>>OK this but don't Reboot yet

Instead
Do another scan with Hijackthis and put a check next to these entries:

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows

Can you do the following one more time
Run FindQoologic.bat again, choosing option 1 and post the contents of the text file

Also, from my signature below, take the time to run an Online Virus scan at Panda's
Choose to scan "Local disks"
When the scan is done choose to SAVE A REPORT
Save the report and then come back here and post the contents

Also post a fresh hijackthis log

bonedoc · « **Reply #6 on:** November 17, 2005, 08:12:50 PM »

Logfile of HijackThis v1.99.1
Scan saved at 6:16:15 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

---------------------\

Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini

User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...

.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
---------------------------------------------------------------

Incident Status Location

Adware:Adware/BookedSpace No disinfected C:\!KillBox\Oqulumfr.dll
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\owzz.exe
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\pqaawi.exe
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\WGUUP.DAT
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[Installer.class]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\System Files\plugin.dll
Adware:adware/ncase No disinfected C:\WINDOWS\180ax_gdf.dat
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\bsx32.ini
Adware:adware/bookedspace No disinfected C:\WINDOWS\bxxs5.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\mm63.INF
Adware:adware program No disinfected C:\WINDOWS\system32\atmtd.dll
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta33.ini

guestolo · « **Reply #7 on:** November 18, 2005, 06:16:49 PM »

Depending on your version of Java
Enter the Windows Control Panel and double click on the Java Icon
Under the General tab
Delete Files>>OK it

Or
Under the Cache tab>>Clear Cache

Can you copy and paste these instructions to Notepad again

Reboot back into safe mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

Paths to file names below
===============================
C:\WINDOWS\180ax_gdf.dat
C:\WINDOWS\bsx32.ini
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\Downloaded Program Files\mm63.INF
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\usta33.ini
C:\Program Files\System Files\plugin.dll
============================================
Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files.

Find and delete this folder if found
C:\Program Files\System Files <-this folder

Reboot back to Normal mode and post one more hijackthis log
Let me know how things are running

bonedoc · « **Reply #8 on:** November 19, 2005, 08:05:29 PM »

Logfile of HijackThis v1.99.1
Scan saved at 8:04:50 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

guestolo · « **Reply #9 on:** November 19, 2005, 09:35:39 PM »

How's everything on your end?

If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link
Scroll down too IE-SPYAD (original) or
IE-SPYAD2>>Use one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2

Quote

If you ever need any orthopedic surgery advice, feel free to ask

I may take you up on that someday

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

bonedoc · « **Reply #10 on:** November 19, 2005, 11:47:00 PM »

things seem ok, except i still have the WebNexus thing in my list of add/remove programs.

guestolo · « **Reply #11 on:** November 20, 2005, 12:41:16 AM »

Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Left click to highlight WebNexus
Then select the "Delete this Entry" button
YES to the prompt
Exit Hijackthis

Check your Add/Remove programs

EDIT>>Forgot to add, go back and enable Ad-Watch

TheTechGuide Forum

News:

Author Topic: some help cleaning up F***ing malware (Read 592 times)

bonedoc

some help cleaning up F***ing malware

guestolo

some help cleaning up F***ing malware

bonedoc

some help cleaning up F***ing malware

guestolo

some help cleaning up F***ing malware

bonedoc

some help cleaning up F***ing malware

guestolo

some help cleaning up F***ing malware

bonedoc

some help cleaning up F***ing malware

guestolo

some help cleaning up F***ing malware

bonedoc

some help cleaning up F***ing malware

guestolo

some help cleaning up F***ing malware

bonedoc

some help cleaning up F***ing malware

guestolo

some help cleaning up F***ing malware