0

The Computers at my work have been totally overrun with pop-up ads, spyware, and Backdoor programs that have almost all been manually installed by people that are stupid enough to believe everything the read on the internet. I find myself now almost completely in charge of fixing this problem (since the other two people with computer knowledge were fired for unrelated reasons), I've dealt with stuff like this before (I used to be a dumb kid with Kazaa hehe) but I'm very far from being an expert. I stumbled upon this site while desperately searching Yahoo for tips and advice and I'm hoping that I can find that and more here

as promised I attached a HJT Log which follows,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:34 AM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\T?sks\c?rss.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\INTERN~1\EXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 115.641.126.1:5248
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E2C2832213329D26033AAC
O4 - HKLM\..\Run: [343238373737393] 211F252424242.exe
O4 - HKLM\..\Run: [d8360f02] rundll32.exe "C:\WINDOWS\system32\iybclnui.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\WNSXS~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Dkavnwfk] C:\WINDOWS\?racle\c?rss.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\oadacr.exe
O4 - HKCU\..\Run: [wuwo] C:\PROGRA~1\COMMON~1\wuwo\wuwom.exe
O4 - HKCU\..\Run: [Regdorh] "C:\Program Files\T?sks\c?rss.exe"
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Net Rent.RDP
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ras.rezlink.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{158C90DB-8664-4FCA-BD22-9B0E07DCA8C4}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{158C90DB-8664-4FCA-BD22-9B0E07DCA8C4}: NameServer = 4.2.2.1,4.2.2.2
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\cGh4dXNy\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - About:Home

--
End of file - 6114 bytes


Any Insight would be greatly appriciated, Like I said I'm no Excpert but I am a fast learner,

Thanx in advance...

2
Contributors
3
Replies
4
Views
9 Years
Discussion Span
Last Post by crunchie
0

Hi and welcome to the Daniweb forums :).

You got more nasties than good guys there :).

Please download ComboFix by sUBs from HERE or HERE

  • Save it to your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll

    [IMG]http://i5.photobucket.com/albums/y153/crunchie1/thRunBox_KillAll.jpg[/IMG]

  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File and include it in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* Re-enable all the programs that were disabled prior to the running of ComboFix.

* Post the following logs/Reports:


  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Sorry about how long it took me to reply to this, I've been heavily occupied with a few other tasks at my job as of late

I ran ComboFix and the Computer already appears to be running far better than before,

The only txt file Combofix gave me reads as follows:

ComboFix 08-02-14.2 - rem_admin 2008-02-15 1:29:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.106 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

----------

also here is a fresh Hijackthis Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:07, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\211F252424242.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Drmupgds\Drmupgds.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 115.641.126.1:5248
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: Google Module - {221BBF54-3327-4548-9006-84385B1A5840} - ssymman.dll (file missing)
O2 - BHO: (no name) - {54570245-3AEA-4213-9AE0-5CF0980AD94F} - C:\Program Files\ComPlus Applications\rybokutyc89104.dll
O2 - BHO: 0 - {772BE84E-4F8E-43A0-529C-473D975BCF20} - C:\Program Files\Windows NT\lacusylab.dll (file missing)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {B2AC704C-E85F-4C92-924F-5A629BD26CA8} - C:\Program Files\Messenger\hoqezik455101.dll (file missing)
O2 - BHO: (no name) - {B88AD22D-3C29-4FDB-97E7-16E57F7AFD18} - C:\Program Files\Messenger\hoqezik83122.dll (file missing)
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\khfddee.dll (file missing)
O2 - BHO: (no name) - {E48BC0EE-7355-4A48-AF45-3AD284CE0EF5} - C:\WINDOWS\system32\ddayx.dll (file missing)
O2 - BHO: {908cc086-2849-f559-20f4-a30d318e454f} - {f454e813-d03a-4f02-955f-9482680cc809} - C:\WINDOWS\system32\blxiyxmv.dll (file missing)
O2 - BHO: (no name) - {FACADA43-218F-49AD-869D-AB5CBA64ACC4} - C:\WINDOWS\system32\pmnlm.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O4 - HKLM\..\Run: [343238373737393] 211F252424242.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [hoxyp] C:\Program Files\Common Files\hoxyp77798.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\WNSXS~1\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Dkavnwfk] C:\WINDOWS\?racle\c?rss.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [wuwo] C:\PROGRA~1\COMMON~1\wuwo\wuwom.exe
O4 - HKCU\..\Run: [Regdorh] "C:\Program Files\T?sks\c?rss.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [Muysa] "C:\Documents and Settings\Administrator\Application Data\??pPatch\m?dtc.exe"
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Net Rent.RDP
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ras.rezlink.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{158C90DB-8664-4FCA-BD22-9B0E07DCA8C4}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{158C90DB-8664-4FCA-BD22-9B0E07DCA8C4}: NameServer = 4.2.2.1,4.2.2.2
O20 - Winlogon Notify: geeda - C:\WINDOWS\system32\geeda.dll (file missing)
O20 - Winlogon Notify: jkkkkll - jkkkkll.dll (file missing)
O20 - Winlogon Notify: khfddee - khfddee.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\prolyhdufsoz.html
O24 - Desktop Component 1: (no name) - About:Home

--
End of file - 8316 bytes

So far everything seems to be running alot smoother and and I have *knock on wood* yet to see a single pop-up ad there is 2 other computers that are infected at my job and if this worked and solved my problems I won't hesitate to repeat this on both of them (this one was the best running of the 3 tragically), before trying to get manager approval to install a series of Firewalls on all systems to hopefully prevent any further problems (Like I previously mentioned I'm no IT whiz, I'm just a simple Overnight Rental/Return Agent for a small Car Rental Company)

If there is anything else you feel I should do to secure this computer or if you notice anything your methods may have missed or even if you have any suggestions for firewalls I'm all ears, OtherwiseI'd say it's safe to mark this as resolved.

I'm incredibly grateful for your help dude, Thanx

.

0

Can you please do the following.


===============

Let's look for, and delete, any program segments (prefetches) that might be present, and are associated with the 'problems' we're trying to remove from your PC. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

211F252424242.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\system32\211F252424242.exe
C:\Program Files\Drmupgds\Drmupgds.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O2 - BHO: Google Module - {221BBF54-3327-4548-9006-84385B1A5840} - ssymman.dll (file missing)
O2 - BHO: (no name) - {54570245-3AEA-4213-9AE0-5CF0980AD94F} - C:\Program Files\ComPlus Applications\rybokutyc89104.dll
O2 - BHO: 0 - {772BE84E-4F8E-43A0-529C-473D975BCF20} - C:\Program Files\Windows NT\lacusylab.dll (file missing)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: (no name) - {B2AC704C-E85F-4C92-924F-5A629BD26CA8} - C:\Program Files\Messenger\hoqezik455101.dll (file missing)
O2 - BHO: (no name) - {B88AD22D-3C29-4FDB-97E7-16E57F7AFD18} - C:\Program Files\Messenger\hoqezik83122.dll (file missing)
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\khfddee.dll (file missing)
O2 - BHO: (no name) - {E48BC0EE-7355-4A48-AF45-3AD284CE0EF5} - C:\WINDOWS\system32\ddayx.dll (file missing)
O2 - BHO: {908cc086-2849-f559-20f4-a30d318e454f} - {f454e813-d03a-4f02-955f-9482680cc809} - C:\WINDOWS\system32\blxiyxmv.dll (file missing)
O2 - BHO: (no name) - {FACADA43-218F-49AD-869D-AB5CBA64ACC4} - C:\WINDOWS\system32\pmnlm.dll (file missing)

O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll

O4 - HKLM\..\Run: [343238373737393] 211F252424242.exe
O4 - HKLM\..\Run: [hoxyp] C:\Program Files\Common Files\hoxyp77798.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\WNSXS~1\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Dkavnwfk] C:\WINDOWS\?racle\c?rss.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [wuwo] C:\PROGRA~1\COMMON~1\wuwo\wuwom.exe
O4 - HKCU\..\Run: [Regdorh] "C:\Program Files\T?sks\c?rss.exe"
O4 - HKCU\..\Run: [Muysa] "C:\Documents and Settings\Administrator\Application Data\??pPatch\m?dtc.exe"

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O20 - Winlogon Notify: geeda - C:\WINDOWS\system32\geeda.dll (file missing)
O20 - Winlogon Notify: jkkkkll - jkkkkll.dll (file missing)
O20 - Winlogon Notify: khfddee - khfddee.dll (file missing)

O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\prolyhdufsoz.html


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Drmupgds
C:\PROGRA~1\COMMON~1\WNSXS~1
C:\Program Files\Router
C:\PROGRA~1\COMMON~1\wuwo

files...

C:\Program Files\ComPlus Applications\rybokutyc89104.dll
C:\WINDOWS\system32\211F252424242.exe
C:\WINDOWS\system32\WinNB57.dll
C:\Program Files\Common Files\hoxyp77798.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.