Ad:

Viruses, Spyware and other Nasties Discussion Thread
Unsolved
Views: 4200

Page 1
2
Next

You are currently viewing page 1 of this multi-page discussion thread

Aug 28th, 2005

Win Min at turn off.

Expand Post »

In my newbishness i posted this on the wrong board..well this time in the right one i assume.

Can anyone help me out? I have probbly gotten onto a wrong site when off to download Anti-Virus programs for my new computer, this one. As a result i got infected by over 50 virusses. Now most of them were trojans, so after completely reinstalling Windows with boot floppys (immediately after starting up my comp kept resetting itself..) and downlaoding lots of anti virus, this was pretty much te only problem remaining.
Oh, and my IExplorer homepage keep setting itself to something i dont want. Win Min seems to be some sort of Spyware, and the programs i have (AVG, ZoneLabs, Spybot and Adaware) dont seem to be able to find it.

Now, even though i have quite some experience with computers, i think i can better let this be handled by the experts.
Can anyone inform me on what to run and such?

Similar Threads

Please help win min and yoursearcher.com in Viruses, Spyware and other Nasties
win min and yoursearcher.com in Viruses, Spyware and other Nasties
Win Min error at Turn off. in Windows NT / 2000 / XP
IE hijack (your-searcher.com; win min) in Viruses, Spyware and other Nasties
Win Min error when shutting down windows 98 in Viruses, Spyware and other Nasties

Taelia

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

7 posts
since Aug 2005

Permalink

Aug 28th, 2005

Re: Win Min at turn off.

post a hijackthis log, also download trojan hunter.

mikeandike22

Reputation Points: 33

Solved Threads: 19

Nearly a Posting Virtuoso

Offline

1,496 posts
since May 2004

Permalink

Aug 28th, 2005

Re: Win Min at turn off.

Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file.

After this, perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log it gives after the scan.

Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.
Copy the entire contents of the file and post it here along Ewido and Panda ActiveScan logs.

swatkat

Reputation Points: 25

Solved Threads: 51

Practically a Master Poster

Offline

642 posts
since Jul 2005

Permalink

Aug 28th, 2005

Re: Win Min at turn off.

After some computer maintenance and merging my C and D drive together, i eventaully was able to get back with this. Ive ran the three programs, thus here the reports in the order Hijackthis, Panda and last ewido. I have noticed only now that the report is made in Dutch..i hope that is not a problem.

Quote ...

Logfile of HijackThis v1.99.1
Scan saved at 0:27:58, on 29-8-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\aiswoqcf.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wind-find4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {44CCE727-C303-EFCC-F77F-37B668BD0076} - progmen.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [aiswoqcf] C:\WINDOWS\System32\aiswoqcf.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe
O4 - HKLM\..\Run: [dmqbp.exe] C:\WINDOWS\System32\dmqbp.exe
O4 - HKLM\..\Run: [utsgmon] InpriseMon.exe
O4 - HKLM\..\Run: [ATLIEHELPER] vxdman.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [klyfitj] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [aiswoqcf] C:\WINDOWS\System32\aiswoqcf.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [aavfgqh] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [backd] Uint32.exe
O4 - HKCU\..\Run: [SysEntry] jopplerg.exe
O4 - HKCU\..\Run: [bingo9] CToolBar.exe
O4 - HKCU\..\Run: [mwuaddm] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [qvivukr] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [bfaqfij] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [xvmmubc] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [caseoiu] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [cuuharl] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [buillia] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [asnyjpt] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [nuxtrky] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [pijfmib] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [gedlwxy] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [joyneck] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [pwaqumx] c:\windows\rumcjks.exe
O4 - HKCU\..\Run: [ydsmsva] c:\windows\rumcjks.exe
O4 - HKCU\..\Run: [tjrojqp] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [jyaghvf] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [dbwshnb] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [lejyjdh] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [bpqhjxs] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [axxevli] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [xrficyo] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [pctbjmc] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [kmuttfn] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [psepmtn] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [gegueib] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [yvnnjhk] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [wytpxuc] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [ygplhbi] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [vrjfrtq] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [ljxcwdv] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [odmrctu] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [nfkbnfh] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [ybwqyui] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [gfhnmid] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [hsnproi] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hpdmhmo] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [pqpglhm] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hceihmm] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [kqtsbvk] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [luookav] c:\windows\hssxtax.exe
O4 - HKCU\..\Run: [xjefqgl] c:\windows\ikjnsqq.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125171625827
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125176828493
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{364D60F9-A71A-410B-BDA8-6CBC86508EF8}: NameServer = 195.95.218.18,85.255.112.11
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O21 - SSODL: System - {F29EEB94-0931-4476-9C00-1B3B666C670F} - vr_sys.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Quote ...

Incident Status Location

Spyware:spyware/wareout No disinfected C:\Documents and Settings\Mickey\Application Data\wo.tmp
Adware:adware/findspy No disinfected C:\Documents and Settings\Mickey\Favorieten\ Free Spy Cam - Realtime.url
Adware:adware/psguard No disinfected C:\Documents and Settings\Mickey\Local Settings\Temp\PSGuardInstall.exe
Spywarepyware/ISTBar No disinfected C:\RECYCLER\S-1-5-21-682003330-1606980848-854245398-1000\Dc11.php
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\axuuxae.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\cbenryq.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\ciigirj.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\drvcvqe.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\egqceng.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\nvntmxm.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\ptbolnw.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\qyvibhp.exe
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\rumcjks.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\sykxcat.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\SYSTEM32\aiswoqcf.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\SYSTEM32\wmwoqtej.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\__delete_on_reboot__desktop.dll
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\twpyojv.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\uigrjpq.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\vibxfbo.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\xiyiblv.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\xnpbcly.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\hssxtax.exe
Adware:Adware/Startpage.AFV No disinfected C:\WINDOWS\ikjnsqq.exe

Quote ...

---------------------------------------------------------
ewido security suite - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 23:44:16, 28-8-2005
+ Rapport samenvatting: 9A415A50

+ Scan resultaten:

[256] C:\WINDOWS\system32\desktop.dll -> TrojanProxy.Small.cq : Fout gedurende het schoonmake
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2567IJ87\me_7[1].dat -> TrojanProxy.Small.cq : Schoongemaakt met een backup
:mozilla.10:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Schoongemaakt met een backup
:mozilla.11:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Schoongemaakt met een backup
:mozilla.12:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Adjuggler : Schoongemaakt met een backup
:mozilla.22:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Atdmt : Schoongemaakt met een backup
:mozilla.37:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Schoongemaakt met een backup
:mozilla.46:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.47:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.48:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.49:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.50:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
C:\Documents and Settings\Mickey\Cookies\mickey@paypopup[1].txt -> Spyware.Cookie.Paypopup : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\cisje.dll -> Spyware.SBSoft : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\desktop.exe -> TrojanProxy.Small.cq : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\latest.exe -> Trojan.Crypt.i : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\l_____e.exe -> TrojanProxy.Small.cq : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\~update.exe -> Trojan.Crypt.i : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__desktop.dll -> TrojanProxy.Small.cq : Schoongemaakt met een backup

::Einde rapport

Taelia

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

7 posts
since Aug 2005

Permalink

Aug 30th, 2005

Re: Win Min at turn off.

Hi,

Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.

Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Uninstall this Software from Add/Remove Programs in Control Panel:-
WareOut

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wind-find4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {44CCE727-C303-EFCC-F77F-37B668BD0076} - progmen.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [aiswoqcf] C:\WINDOWS\System32\aiswoqcf.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe
O4 - HKLM\..\Run: [dmqbp.exe] C:\WINDOWS\System32\dmqbp.exe
O4 - HKLM\..\Run: [utsgmon] InpriseMon.exe
O4 - HKLM\..\Run: [ATLIEHELPER] vxdman.exe
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [klyfitj] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [aiswoqcf] C:\WINDOWS\System32\aiswoqcf.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [aavfgqh] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [backd] Uint32.exe
O4 - HKCU\..\Run: [SysEntry] jopplerg.exe
O4 - HKCU\..\Run: [bingo9] CToolBar.exe
O4 - HKCU\..\Run: [mwuaddm] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [qvivukr] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [bfaqfij] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [xvmmubc] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [caseoiu] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [cuuharl] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [buillia] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [asnyjpt] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [nuxtrky] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [pijfmib] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [gedlwxy] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [joyneck] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [pwaqumx] c:\windows\rumcjks.exe
O4 - HKCU\..\Run: [ydsmsva] c:\windows\rumcjks.exe
O4 - HKCU\..\Run: [tjrojqp] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [jyaghvf] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [dbwshnb] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [lejyjdh] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [bpqhjxs] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [axxevli] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [xrficyo] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [pctbjmc] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [kmuttfn] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [psepmtn] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [gegueib] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [yvnnjhk] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [wytpxuc] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [ygplhbi] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [vrjfrtq] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [ljxcwdv] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [odmrctu] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [nfkbnfh] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [ybwqyui] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [gfhnmid] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hsnproi] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hpdmhmo] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [pqpglhm] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hceihmm] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [kqtsbvk] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [luookav] c:\windows\hssxtax.exe
O4 - HKCU\..\Run: [xjefqgl] c:\windows\ikjnsqq.exe
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O21 - SSODL: System - {F29EEB94-0931-4476-9C00-1B3B666C670F} - vr_sys.dll (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Delete these files:-
c:\windows\cbenryq.exe
c:\windows\nvntmxm.exe
c:\windows\ptbolnw.exe
c:\windows\qyvibhp.exe
c:\windows\rumcjks.exe
c:\windows\twpyojv.exe
c:\windows\xiyiblv.exe
c:\windows\uigrjpq.exe
c:\windows\sykxcat.exe
c:\windows\hssxtax.exe
c:\windows\ikjnsqq.exe
C:\WINDOWS\System32\aiswoqcf.exe
C:\WINDOWS\System32\dmqbp.exe
C:\WINDOWS\System32\aiswoqcf.exe
C:\WINDOWS\System32\symcsvc.exe
C:\WINDOWS\system32\desktop.exe
C:\WINDOWS\SYSTEM32\nwprovau.dll
C:\WINDOWS\inet20081\services.exe

Delete this folder:-
C:\Program Files\WareOut
C:\WINDOWS\inet20081

Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filenames and search for it, if you find it, right-click on it and click delete:-
InpriseMon.exe
vxdman.exe
Uint32.exe
jopplerg.exe
CToolBar.exe
vr_sys.dll

Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log.

swatkat

Reputation Points: 25

Solved Threads: 51

Practically a Master Poster

Offline

642 posts
since Jul 2005

Permalink

Aug 31st, 2005

Re: Win Min at turn off.

I have rebooted in Safe Mode with all files shows, however, three quarters of the list on the bottom of your last post werent there, the inet20081 map was completely empty, the WareOut map was not there and couldnt be found in the add/remove list either, and the nwprovau.dll was unable to remove as it was used by windows.

Quote ...

Logfile of HijackThis v1.99.1
Scan saved at 12:29:35, on 31-8-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\windows\utbkfgk.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [xjhidvf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [nxjecra] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [udrlpmk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bbmoxyi] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [enuufre] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xoxvrgq] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [emspdrf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yfsxwri] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [mcpjtvv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jyxqqdn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qxtdaoe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vmwqjth] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pefnljj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qgympvk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lirqvrx] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vryhyxr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcgusij] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [kxcphlf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xqpvrbj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [poflijl] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rcsvfqp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [fvhwklt] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hniscxe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [aiowdnp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wyosirj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hpadwic] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qcrsuif] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [flxsaqm] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dtweidr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pkiwjku] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yncacub] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ohtuopk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [onsmgje] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wrsdogs] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xtxnieg] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lvopfpa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [gugbvmc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ivgcxsd] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yjyhcdy] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jhdqfro] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qrdjosa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rvbmpjh] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [cxvmcxf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wudnlnr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bchejhc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcwvpfv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wxlvddn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jilfogm] c:\windows\utbkfgk.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125171625827
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125176828493
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{364D60F9-A71A-410B-BDA8-6CBC86508EF8}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Taelia

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

7 posts
since Aug 2005

Permalink

Aug 31st, 2005

Re: Win Min at turn off.

Hi,
There are still more things to be removed. Can you perform an online virus scan at TrendMicro HouseCall with the "Auto Clean" option enabled, and post back the results of this scan.

Also, perform a spyware scan at TrendMicro Spyware Scan and save its result.

Post back the results of both HouseCall and Spyware scan, and also a fresh HijackThis log.

swatkat

Reputation Points: 25

Solved Threads: 51

Practically a Master Poster

Offline

642 posts
since Jul 2005

Permalink

Sep 2nd, 2005

Re: Win Min at turn off.

Had to go away a while, back now.
This is all the log i could find for the virusscan.

Quote ...

Virus Scan No virus detected

Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name

Trojan/Worm Check No worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type

Spyware Check

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 0 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type

Microsoft Vulnerability Check

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix

The Spyware check gave no possibility to save results at all, a far as i saw, so that leaves me with HJT:

Quote ...

Logfile of HijackThis v1.99.1
Scan saved at 16:03:37, on 2-9-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [xjhidvf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [nxjecra] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [udrlpmk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bbmoxyi] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [enuufre] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xoxvrgq] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [emspdrf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yfsxwri] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [mcpjtvv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jyxqqdn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qxtdaoe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vmwqjth] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pefnljj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qgympvk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lirqvrx] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vryhyxr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcgusij] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [kxcphlf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xqpvrbj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [poflijl] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rcsvfqp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [fvhwklt] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hniscxe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [aiowdnp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wyosirj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hpadwic] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qcrsuif] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [flxsaqm] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dtweidr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pkiwjku] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yncacub] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ohtuopk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [onsmgje] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wrsdogs] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xtxnieg] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lvopfpa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [gugbvmc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ivgcxsd] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yjyhcdy] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jhdqfro] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qrdjosa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rvbmpjh] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [cxvmcxf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wudnlnr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bchejhc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcwvpfv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wxlvddn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jilfogm] c:\windows\utbkfgk.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125171625827
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125176828493
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{364D60F9-A71A-410B-BDA8-6CBC86508EF8}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Taelia

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

7 posts
since Aug 2005

Permalink

Sep 2nd, 2005

Re: Win Min at turn off.

[Edited by swatkat - Hi, your help is welcome, but please refrain from posting incomplete and/or incorrect procedure or fix]

ddtredskull

Reputation Points: 10

Solved Threads: 1

Newbie Poster

Offline

14 posts
since Aug 2005

Permalink

Sep 2nd, 2005

Re: Win Min at turn off.

Hi,

Download CWShredder.

Open NotePad, and copy the contents of below mentioned "Code" box:-

(Toggle Plain Text)

cd %windir%
attrib -s -r -h utbkfgk.exe
del utbkfgk.exe
cd system32
attrib -s -r -h desktop.exe
del desktop.exe

Go to File Menu > Save As and type the filename as Remove.BAT and save the file. Exit from NotePad.

Boot in safe mode, and run HijackThis and select these entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [xjhidvf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [nxjecra] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [udrlpmk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bbmoxyi] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [enuufre] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xoxvrgq] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [emspdrf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yfsxwri] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [mcpjtvv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jyxqqdn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qxtdaoe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vmwqjth] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pefnljj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qgympvk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lirqvrx] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vryhyxr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcgusij] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [kxcphlf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xqpvrbj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [poflijl] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rcsvfqp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [fvhwklt] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hniscxe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [aiowdnp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wyosirj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hpadwic] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qcrsuif] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [flxsaqm] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dtweidr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pkiwjku] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yncacub] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ohtuopk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [onsmgje] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wrsdogs] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xtxnieg] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lvopfpa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [gugbvmc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ivgcxsd] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yjyhcdy] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jhdqfro] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qrdjosa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rvbmpjh] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [cxvmcxf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wudnlnr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bchejhc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcwvpfv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wxlvddn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jilfogm] c:\windows\utbkfgk.exe

Close all other programs, and click "Fix Checked" in HijackThis.

Double-click on the file Remove.bat, a DOS type window should open and close by itself.

Run [/b]CWShredder[/b], and click "Fix".

Reboot to Normal Mode, and run HijackThis again and post a fresh log.

swatkat

Reputation Points: 25

Solved Threads: 51

Practically a Master Poster

Offline

642 posts
since Jul 2005

Page 1
2
Next

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: just a quick check plz?

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Explorer Restarting itself...

DaniWeb Message

Cancel Changes

User Name
Password