0

Yes her computer is becoming infested with all sorts of crap from the internet, particularly stubborn are "Derbiz" and "ebates money maker" who both seem to reappear after being deleted either on AdAware or Spybot.
I know it's gonna be an uphill struggle because I can't be there all day to make sure she keeps her virus software up to date all the time but I thought you good people might be able to offer some help if i post her hijackthis log.

Thanks
Kris

Logfile of HijackThis v1.99.1
Scan saved at 22:59:44, on 04/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVSCHED32.EXE
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\usxhs.exe
C:\WINDOWS\System32\rnamrr.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\rqmr\rqmrm.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\faspro.exe
C:\WINDOWS\System32\faspro.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Piolet\Piolet.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\inseng.exe
C:\Documents and Settings\Vickie\Desktop\DADA'S Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [c8YCifF] C:\WINDOWS\usxhs.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rnamrr.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitetbm32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [rqmr] C:\PROGRA~1\COMMON~1\rqmr\rqmrm.exe
O4 - HKCU\..\Run: [inseng] C:\WINDOWS\System32\inseng.exe
O4 - HKCU\..\Run: [faspro] C:\WINDOWS\System32\faspro.exe
O4 - HKCU\..\RunOnce: [faspro] C:\WINDOWS\System32\faspro.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Fortune Bingo by pogo - http://game4.pogo.com/applet-6.0.4.37/superbingo/superbingo-ob-assets.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/Bridge-c139.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BB5EAD9-17C3-4E45-BBFF-1CFF54D021F4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{2BB5EAD9-17C3-4E45-BBFF-1CFF54D021F4}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

5
Contributors
19
Replies
20
Views
12 Years
Discussion Span
Last Post by Bluejay
0

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

To save some time, could you please have all the files that rkfiles finds uploaded for an online scan here;

http://virusscan.jotti.org/

Post the contents of C:\log.txt in your next reply.

0

You can check your Computer with 5,000,000 Anti-Virus-Softwares and spend $20,000 for it, as long as you surf the Internet with the Internet Explorer and activated ActiveX & ActiveScripting, it will be Sisyphus work.

Michael

0

I uploaded the file to that virus checker site and it found nothing.

Here's the log:
C:\Documents and Settings\Vickie\Desktop\New Folder

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\AUNPS2.dll: UPX!
C:\WINDOWS\system32\faspro.exe: UPX!
C:\WINDOWS\system32\naopn.dll: UPX!
C:\WINDOWS\system32\pgehppp.dll: UPX!
C:\WINDOWS\system32\qvgbq.dat: UPX!
C:\WINDOWS\system32\rnamrr.exe: UPX!
C:\WINDOWS\system32\rpen.exe: UPX!
C:\WINDOWS\system32\skytown.exe: UPX!
C:\WINDOWS\system32\thin-94-1-x-x.exe: UPX!
C:\WINDOWS\system32\winup2date.dll: UPX!
C:\WINDOWS\system32\winupdt.exe: UPX!
C:\WINDOWS\system32\wmconfig.cpl: UPX!
C:\WINDOWS\system32\elitebon32.exe: FSG!
C:\WINDOWS\system32\elitecoc32.exe: FSG!
C:\WINDOWS\system32\eliteduj32.exe: FSG!
C:\WINDOWS\system32\elitedzm32.exe: FSG!
C:\WINDOWS\system32\eliterse32.exe: FSG!
C:\WINDOWS\system32\elitersk32.exe: FSG!
C:\WINDOWS\system32\elitesla32.exe: FSG!
C:\WINDOWS\system32\elitetbm32.exe: FSG!
C:\WINDOWS\system32\elitevjd32.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\oembios.bin: peC2"y)Q

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dtup.exe: UPX!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\farmmext.exe: UPX!
C:\WINDOWS\nem220.dll: UPX!
C:\WINDOWS\sideb.exe: UPX!
C:\WINDOWS\tct101.dll: UPX!
C:\WINDOWS\usxhs.exe: UPX!
Finished
bye

LOL I take it that log has some baddies in it?

0

I know it's gonna be an uphill struggle because I can't be there all day to make sure she keeps her virus software up to date all the time ....

Be that as it may, but you should ensure that an adequate antivirus program is installed, set to automatically update and to perform continual background scanning. You should also ensure that adequate spyware detection/removal software is also installed and set to perform continual background scanning/blocking.

And you should ensure that a browser such as Mozilla, Firefox or Opera is installed and set as 'default', with the security settings adequately configured.

That way, you don't need to be there all day. :D

0

kriskarrera. I needed you to upload every file that rkfiles found :D.

Oh. Ok. What do you mean by "upload"? Do you mean literally copy these nasties onto disc from her pc and them attach them to this thread? :eek:

0

No. In post #2 I provided a link to an online scanner where you can have the file's scanned one at a time :D.

0

I'm in a rush, I've copied those files to disc and i'll scan them on that site later and report back here but can I just add that I ran Adaware on her pc earlier and something nasty popped up and took away some of the nasties I was about to delete!! I can't believe that some evil git has even made something that can hijack adaware!

0

Ad-aware Cloak 1.0 is designed to allow Ad-aware to open fully when there are items on the system which close Ad-aware when it attempts to start, such as some CoolWebSearch variants. To use Ad-aware Cloak, save it to your system, and run the program before opening Ad-aware. Once Ad-aware Cloak opens, click "Activate Cloak" and then open Ad-aware and scan as normal. When you are done using Ad-aware, close Ad-aware Cloak.

Further Information

Download the free Ad-aware Cloak program:

AAWCloak

0

Ok, thanks, will do.

Below are the results from what you asked me to do earlier.
Unfortunately I could find half those files on her computer and I've marked those with an asterix.

C:\Documents and Settings\Vickie\Desktop\New Folder

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\AUNPS2.dll: UPX!(nasty)
C:\WINDOWS\system32\faspro.exe: UPX!(nasty)
C:\WINDOWS\system32\naopn.dll: UPX!*
C:\WINDOWS\system32\pgehppp.dll: UPX!*
C:\WINDOWS\system32\qvgbq.dat: UPX!(nasty)
C:\WINDOWS\system32\rnamrr.exe: UPX!*
C:\WINDOWS\system32\rpen.exe: UPX!*
C:\WINDOWS\system32\skytown.exe: UPX!(nasty)
C:\WINDOWS\system32\thin-94-1-x-x.exe: UPX!(nasty-ish)
C:\WINDOWS\system32\winup2date.dll: UPX!(nasty)
C:\WINDOWS\system32\winupdt.exe: UPX!(nasty)
C:\WINDOWS\system32\wmconfig.cpl: UPX!(nasty)
C:\WINDOWS\system32\elitebon32.exe: FSG!*
C:\WINDOWS\system32\elitecoc32.exe: FSG!*
C:\WINDOWS\system32\eliteduj32.exe: FSG!*
C:\WINDOWS\system32\elitedzm32.exe: FSG!*
C:\WINDOWS\system32\eliterse32.exe: FSG!*
C:\WINDOWS\system32\elitersk32.exe: FSG!*
C:\WINDOWS\system32\elitesla32.exe: FSG!*
C:\WINDOWS\system32\elitetbm32.exe: FSG!*
C:\WINDOWS\system32\elitevjd32.exe: FSG!*
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 (fine)
C:\WINDOWS\system32\oembios.bin: peC2"y)Q (fine)

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dtup.exe: UPX!*
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\farmmext.exe: UPX!(nasty)
C:\WINDOWS\nem220.dll: UPX!(nasty)
C:\WINDOWS\sideb.exe: UPX!(nasty)
C:\WINDOWS\tct101.dll: UPX!(nasty)
C:\WINDOWS\usxhs.exe: UPX!(nasty)
Finished
bye

0

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\system32\AUNPS2.dll
C:\WINDOWS\system32\faspro.exe
C:\WINDOWS\system32\naopn.dll
C:\WINDOWS\system32\pgehppp.dll
C:\WINDOWS\system32\qvgbq.dat
C:\WINDOWS\system32\rnamrr.exe
C:\WINDOWS\system32\rpen.exe
C:\WINDOWS\system32\skytown.exe
C:\WINDOWS\system32\thin-94-1-x-x.exe
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\wmconfig.cpl
C:\WINDOWS\system32\elitebon32.exe
C:\WINDOWS\system32\elitecoc32.exe
C:\WINDOWS\system32\eliteduj32.exe
C:\WINDOWS\system32\elitedzm32.exe
C:\WINDOWS\system32\eliterse32.exe
C:\WINDOWS\system32\elitersk32.exe
C:\WINDOWS\system32\elitesla32.exe
C:\WINDOWS\system32\elitetbm32.exe
C:\WINDOWS\system32\elitevjd32.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\sideb.exe
C:\WINDOWS\tct101.dll
C:\WINDOWS\usxhs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dtup.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

A new rkfiles and hijackthis log after the reboot please.

0

Gawd what a pain in the rear end this is.
When I deleted one of those files and restarted the computer it asked me to activate windows!! I ended up having to type the CD key whatsit thingy back in.
This is the latest hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 00:18:47, on 13/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVSCHED32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Vickie\Desktop\DADA'S Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Fortune Bingo by pogo - http://game4.pogo.com/applet-6.0.4.37/superbingo/superbingo-ob-assets.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/Bridge-c139.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

And just realised you asked for an RK log too, grrr I'll get that tomorrow.

0

Just discovered what I foolishly accidentally deleted was "C:\WINDOWS\system32\oembios.bin: peC2"y)Q" and now it's in a folder named "!Submit" - :mad: shall i move it back to system 32?

0

Didn't have my disc with my while I was over there but I did the rk files thingy again and all that was left in the log was those C:\WINDOWS\system32\dfrg.msc and C:\WINDOWS\system32\oembios.bin files.

0

Both legit :).

From your hijackthis log...

-

We'll need to unload (not uninstall) Intermute's SpySubtract, since it might interfere with other program(s) we might be using to 'clean' off your system.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...Bridge-c139.cab


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

files...

C:\WINDOWS\System32\wintask.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting your PC, rescan with hijackthis and post a new log.
Let me know how things are now.

0

Think I did all that ok lol

Logfile of HijackThis v1.99.1
Scan saved at 22:25:24, on 17/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVSCHED32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Vickie\Desktop\DADA'S Utilities\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSCHED32.EXE /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Fortune Bingo by pogo - http://game4.pogo.com/applet-6.0.4.37/superbingo/superbingo-ob-assets.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

0

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

-

If you have any more problems, post back.

-

Happy surfing,

crunchie.

0

Hello,

I've found this thread very helpful regarding the derbiz problem which I am also trying to get rid of. I followed all of Crunchie's advice but when I got to the Killbox bit I got stuck. This was the log I got from the rkfiles scan in safe mode:

------------------------
C:\WINDOWS\SYSTEM32\Lycos.dll: UPX!
C:\WINDOWS\SYSTEM32\SHAgentNew.dll: UPX!
C:\WINDOWS\SYSTEM32\shawn_1.dll: UPX!
C:\WINDOWS\SYSTEM32\elitedzm32.exe: FSG!
C:\WINDOWS\SYSTEM32\elitelvt32.exe: FSG!
C:\WINDOWS\SYSTEM32\elitesav32.exe: FSG!
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\SYSTEM32\elitedbt32.exe: PEC2
C:\WINDOWS\SYSTEM32\elitedcm32.exe: PEC2
C:\WINDOWS\SYSTEM32\elitehih32.exe: PEC2
C:\WINDOWS\SYSTEM32\elitehzn32.exe: PEC2
C:\WINDOWS\SYSTEM32\elitesoj32.exe: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\choice.exe: UPX!
Finished
bye

I managed to delete the lycos, SHAgentNew, shawn_1 and choice.exe files but when I tried all of the 'elite' files Killbox said it could not delete them so I pressed the option to delete them on reboot but that didn't work either. I also can not and have never been able to find those elite files in my SYSTEM32 folder and only due to WinPatrol prompts have I been able to see that they were under two different named files of 'temp352' and 'uk_mm'. Everytime Derbiz installs itself I delete the desktop icon and either one of aforementioned files that I find in SYSTEM32.

I should just clarify that before when Derbiz installed itself it would come up as a new program in my main menu hence there was an uninstall option. I would press that, delete the desktop icon and the 'uk_mm' file in SYSTEM32. But recently, after continuously doing scans only the desktop icon appears and the new SYSTEM32 named file of 'temp532'. I usually delete those, bu tit keeps coming back. However, because of reading this thread I can see from the rkfiles scan that the elitedmz32.exe does exist along with alot of others but I just can't find them and Killbox can't delete them.

Here is my current HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 16:20:53, on 12/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MLH\launcher.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dolly 1\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedzm32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe
O16 - DPF: {62E57FC5-1CCD-11D7-8344-00C1261173F0} (csXImage Control) - https://help.nochex.com/classifieds/csximage.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38033.4471527778
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC648153-B0E4-4CD9-9683-3B39BE4C7A57}: NameServer = 62.241.162.200 158.43.240.3

Any help or advice would be much appreciated. Thank you in advance!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.