Win Min at turn off.

Question

Taelia 0 Newbie Poster

18 Years Ago

In my newbishness i posted this on the wrong board..well this time in the right one i assume.

Can anyone help me out? I have probbly gotten onto a wrong site when off to download Anti-Virus programs for my new computer, this one. As a result i got infected by over 50 virusses. Now most of them were trojans, so after completely reinstalling Windows with boot floppys (immediately after starting up my comp kept resetting itself..) and downlaoding lots of anti virus, this was pretty much te only problem remaining.
Oh, and my IExplorer homepage keep setting itself to something i dont want. Win Min seems to be some sort of Spyware, and the programs i have (AVG, ZoneLabs, Spybot and Adaware) dont seem to be able to find it.

Now, even though i have quite some experience with computers, i think i can better let this be handled by the experts.
Can anyone inform me on what to run and such?

windows-virus

4 Contributors
11 Replies
238 Views
6 Days Discussion Span
Latest Post 18 Years Ago Latest Post by swatkat

All 11 Replies

mikeandike22 18 Nearly a Posting Virtuoso

18 Years Ago

post a hijackthis log, also download trojan hunter.

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file.

After this, perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log it gives after the scan.

Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.
Copy the entire contents of the file and post it here along Ewido and Panda ActiveScan logs.

swatkat 14 Practically a Master Poster

18 Years Ago

Hi,

Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.

Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Uninstall this Software from Add/Remove Programs in Control Panel:-
WareOut

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wind-find4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {44CCE727-C303-EFCC-F77F-37B668BD0076} - progmen.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [aiswoqcf] C:\WINDOWS\System32\aiswoqcf.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe
O4 - HKLM\..\Run: [dmqbp.exe] C:\WINDOWS\System32\dmqbp.exe
O4 - HKLM\..\Run: [utsgmon] InpriseMon.exe
O4 - HKLM\..\Run: [ATLIEHELPER] vxdman.exe
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [klyfitj] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [aiswoqcf] C:\WINDOWS\System32\aiswoqcf.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [aavfgqh] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [backd] Uint32.exe
O4 - HKCU\..\Run: [SysEntry] jopplerg.exe
O4 - HKCU\..\Run: [bingo9] CToolBar.exe
O4 - HKCU\..\Run: [mwuaddm] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [qvivukr] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [bfaqfij] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [xvmmubc] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [caseoiu] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [cuuharl] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [buillia] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [asnyjpt] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [nuxtrky] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [pijfmib] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [gedlwxy] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [joyneck] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [pwaqumx] c:\windows\rumcjks.exe
O4 - HKCU\..\Run: [ydsmsva] c:\windows\rumcjks.exe
O4 - HKCU\..\Run: [tjrojqp] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [jyaghvf] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [dbwshnb] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [lejyjdh] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [bpqhjxs] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [axxevli] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [xrficyo] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [pctbjmc] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [kmuttfn] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [psepmtn] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [gegueib] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [yvnnjhk] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [wytpxuc] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [ygplhbi] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [vrjfrtq] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [ljxcwdv] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [odmrctu] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [nfkbnfh] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [ybwqyui] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [gfhnmid] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hsnproi] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hpdmhmo] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [pqpglhm] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hceihmm] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [kqtsbvk] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [luookav] c:\windows\hssxtax.exe
O4 - HKCU\..\Run: [xjefqgl] c:\windows\ikjnsqq.exe
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O21 - SSODL: System - {F29EEB94-0931-4476-9C00-1B3B666C670F} - vr_sys.dll (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Delete these files:-
c:\windows\cbenryq.exe
c:\windows\nvntmxm.exe
c:\windows\ptbolnw.exe
c:\windows\qyvibhp.exe
c:\windows\rumcjks.exe
c:\windows\twpyojv.exe
c:\windows\xiyiblv.exe
c:\windows\uigrjpq.exe
c:\windows\sykxcat.exe
c:\windows\hssxtax.exe
c:\windows\ikjnsqq.exe
C:\WINDOWS\System32\aiswoqcf.exe
C:\WINDOWS\System32\dmqbp.exe
C:\WINDOWS\System32\aiswoqcf.exe
C:\WINDOWS\System32\symcsvc.exe
C:\WINDOWS\system32\desktop.exe
C:\WINDOWS\SYSTEM32\nwprovau.dll
C:\WINDOWS\inet20081\services.exe

Delete this folder:-
C:\Program Files\WareOut
C:\WINDOWS\inet20081

Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filenames and search for it, if you find it, right-click on it and click delete:-
InpriseMon.exe
vxdman.exe
Uint32.exe
jopplerg.exe
CToolBar.exe
vr_sys.dll

Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Taelia 0 Newbie Poster · Answer 1 · 2005-08-29T04:32:11+00:00

After some computer maintenance and merging my C and D drive together, i eventaully was able to get back with this. Ive ran the three programs, thus here the reports in the order Hijackthis, Panda and last ewido. I have noticed only now that the report is made in Dutch..i hope that is not a problem.

Logfile of HijackThis v1.99.1
Scan saved at 0:27:58, on 29-8-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\aiswoqcf.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wind-find4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {44CCE727-C303-EFCC-F77F-37B668BD0076} - progmen.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [aiswoqcf] C:\WINDOWS\System32\aiswoqcf.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20081\services.exe
O4 - HKLM\..\Run: [dmqbp.exe] C:\WINDOWS\System32\dmqbp.exe
O4 - HKLM\..\Run: [utsgmon] InpriseMon.exe
O4 - HKLM\..\Run: [ATLIEHELPER] vxdman.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [klyfitj] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [aiswoqcf] C:\WINDOWS\System32\aiswoqcf.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [aavfgqh] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [backd] Uint32.exe
O4 - HKCU\..\Run: [SysEntry] jopplerg.exe
O4 - HKCU\..\Run: [bingo9] CToolBar.exe
O4 - HKCU\..\Run: [mwuaddm] c:\windows\cbenryq.exe
O4 - HKCU\..\Run: [qvivukr] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [bfaqfij] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [xvmmubc] c:\windows\nvntmxm.exe
O4 - HKCU\..\Run: [caseoiu] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [cuuharl] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [buillia] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [asnyjpt] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [nuxtrky] c:\windows\ptbolnw.exe
O4 - HKCU\..\Run: [pijfmib] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [gedlwxy] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [joyneck] c:\windows\qyvibhp.exe
O4 - HKCU\..\Run: [pwaqumx] c:\windows\rumcjks.exe
O4 - HKCU\..\Run: [ydsmsva] c:\windows\rumcjks.exe
O4 - HKCU\..\Run: [tjrojqp] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [jyaghvf] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [dbwshnb] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [lejyjdh] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [bpqhjxs] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [axxevli] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [xrficyo] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [pctbjmc] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [kmuttfn] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [psepmtn] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [gegueib] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [yvnnjhk] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [wytpxuc] c:\windows\twpyojv.exe
O4 - HKCU\..\Run: [ygplhbi] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [vrjfrtq] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [ljxcwdv] c:\windows\xiyiblv.exe
O4 - HKCU\..\Run: [odmrctu] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [nfkbnfh] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [ybwqyui] c:\windows\uigrjpq.exe
O4 - HKCU\..\Run: [gfhnmid] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [hsnproi] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hpdmhmo] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [pqpglhm] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [hceihmm] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [kqtsbvk] c:\windows\sykxcat.exe
O4 - HKCU\..\Run: [luookav] c:\windows\hssxtax.exe
O4 - HKCU\..\Run: [xjefqgl] c:\windows\ikjnsqq.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125171625827
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125176828493
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{364D60F9-A71A-410B-BDA8-6CBC86508EF8}: NameServer = 195.95.218.18,85.255.112.11
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O21 - SSODL: System - {F29EEB94-0931-4476-9C00-1B3B666C670F} - vr_sys.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Incident                      Status                        Location
Spyware:spyware/wareout       No disinfected                C:\Documents and Settings\Mickey\Application Data\wo.tmp
Adware:adware/findspy         No disinfected                C:\Documents and Settings\Mickey\Favorieten\ Free Spy Cam - Realtime.url
Adware:adware/psguard         No disinfected                C:\Documents and Settings\Mickey\Local Settings\Temp\PSGuardInstall.exe
Spyware:Spyware/ISTBar        No disinfected                C:\RECYCLER\S-1-5-21-682003330-1606980848-854245398-1000\Dc11.php
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\axuuxae.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\cbenryq.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\ciigirj.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\drvcvqe.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\egqceng.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\nvntmxm.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\ptbolnw.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\qyvibhp.exe
Adware:adware/sbsoft          No disinfected                C:\WINDOWS\rdt.ini
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\rumcjks.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\sykxcat.exe
Adware:Adware/CWS.Searchmeup  No disinfected                C:\WINDOWS\SYSTEM32\aiswoqcf.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\SYSTEM32\wmwoqtej.exe
Possible Virus.               No disinfected                C:\WINDOWS\SYSTEM32\__delete_on_reboot__desktop.dll
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\twpyojv.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\uigrjpq.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\vibxfbo.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\xiyiblv.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\xnpbcly.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\hssxtax.exe
Adware:Adware/Startpage.AFV   No disinfected                C:\WINDOWS\ikjnsqq.exe


---------------------------------------------------------
ewido security suite - Scan rapport
---------------------------------------------------------
+ Gemaakt op:           23:44:16, 28-8-2005
+ Rapport samenvatting:     9A415A50
+ Scan resultaten:
[256] C:\WINDOWS\system32\desktop.dll -> TrojanProxy.Small.cq : Fout gedurende het schoonmake
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2567IJ87\me_7[1].dat -> TrojanProxy.Small.cq : Schoongemaakt met een backup
:mozilla.10:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Schoongemaakt met een backup
:mozilla.11:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Schoongemaakt met een backup
:mozilla.12:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Adjuggler : Schoongemaakt met een backup
:mozilla.22:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Atdmt : Schoongemaakt met een backup
:mozilla.37:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Schoongemaakt met een backup
:mozilla.46:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.47:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.48:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.49:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.50:C:\Documents and Settings\Mickey\Application Data\Mozilla\Firefox\Profiles\243prtbl.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
C:\Documents and Settings\Mickey\Cookies\mickey@paypopup[1].txt -> Spyware.Cookie.Paypopup : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\cisje.dll -> Spyware.SBSoft : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\desktop.exe -> TrojanProxy.Small.cq : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\latest.exe -> Trojan.Crypt.i : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\l_____e.exe -> TrojanProxy.Small.cq : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\~update.exe -> Trojan.Crypt.i : Schoongemaakt met een backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__desktop.dll -> TrojanProxy.Small.cq : Schoongemaakt met een backup

::Einde rapport

Taelia 0 Newbie Poster · Answer 2 · 2005-08-31T16:19:59+00:00

I have rebooted in Safe Mode with all files shows, however, three quarters of the list on the bottom of your last post werent there, the inet20081 map was completely empty, the WareOut map was not there and couldnt be found in the add/remove list either, and the nwprovau.dll was unable to remove as it was used by windows.

Logfile of HijackThis v1.99.1
Scan saved at 12:29:35, on 31-8-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\windows\utbkfgk.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [xjhidvf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [nxjecra] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [udrlpmk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bbmoxyi] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [enuufre] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xoxvrgq] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [emspdrf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yfsxwri] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [mcpjtvv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jyxqqdn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qxtdaoe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vmwqjth] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pefnljj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qgympvk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lirqvrx] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vryhyxr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcgusij] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [kxcphlf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xqpvrbj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [poflijl] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rcsvfqp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [fvhwklt] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hniscxe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [aiowdnp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wyosirj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hpadwic] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qcrsuif] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [flxsaqm] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dtweidr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pkiwjku] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yncacub] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ohtuopk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [onsmgje] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wrsdogs] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xtxnieg] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lvopfpa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [gugbvmc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ivgcxsd] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yjyhcdy] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jhdqfro] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qrdjosa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rvbmpjh] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [cxvmcxf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wudnlnr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bchejhc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcwvpfv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wxlvddn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jilfogm] c:\windows\utbkfgk.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125171625827
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125176828493
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{364D60F9-A71A-410B-BDA8-6CBC86508EF8}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

swatkat 14 Practically a Master Poster · Answer 3 · 2005-09-01T01:45:33+00:00

Hi,
There are still more things to be removed. Can you perform an online virus scan at TrendMicro HouseCall with the "Auto Clean" option enabled, and post back the results of this scan.

Also, perform a spyware scan at TrendMicro Spyware Scan and save its result.

Post back the results of both HouseCall and Spyware scan, and also a fresh HijackThis log.

Taelia 0 Newbie Poster · Answer 4 · 2005-09-02T20:02:36+00:00

Had to go away a while, back now.
This is all the log i could find for the virusscan.

Virus Scan No virus detected

Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name

Trojan/Worm Check No worm/Trojan horse detected
What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type

Spyware Check
What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 0 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type

Microsoft Vulnerability Check
What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix

The Spyware check gave no possibility to save results at all, a far as i saw, so that leaves me with HJT:

Logfile of HijackThis v1.99.1
Scan saved at 16:03:37, on 2-9-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [xjhidvf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [nxjecra] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [udrlpmk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bbmoxyi] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [enuufre] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xoxvrgq] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [emspdrf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yfsxwri] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [mcpjtvv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jyxqqdn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qxtdaoe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vmwqjth] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pefnljj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qgympvk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lirqvrx] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vryhyxr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcgusij] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [kxcphlf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xqpvrbj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [poflijl] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rcsvfqp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [fvhwklt] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hniscxe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [aiowdnp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wyosirj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hpadwic] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qcrsuif] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [flxsaqm] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dtweidr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pkiwjku] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yncacub] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ohtuopk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [onsmgje] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wrsdogs] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xtxnieg] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lvopfpa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [gugbvmc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ivgcxsd] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yjyhcdy] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jhdqfro] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qrdjosa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rvbmpjh] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [cxvmcxf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wudnlnr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bchejhc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcwvpfv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wxlvddn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jilfogm] c:\windows\utbkfgk.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125171625827
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125176828493
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{364D60F9-A71A-410B-BDA8-6CBC86508EF8}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

ddtredskull 0 Newbie Poster · Answer 5 · 2005-09-02T23:33:10+00:00

[[i]Edited by swatkat - Hi, your help is welcome, but please refrain from posting incomplete and/or incorrect procedure or fix[/i]]

swatkat 14 Practically a Master Poster · Answer 6 · 2005-09-03T00:17:12+00:00

Hi,

Download CWShredder.

Open NotePad, and copy the contents of below mentioned "Code" box:-

cd %windir%
attrib -s -r -h utbkfgk.exe
del utbkfgk.exe
cd system32
attrib -s -r -h desktop.exe
del desktop.exe

Go to File Menu > Save As and type the filename as Remove.BAT and save the file. Exit from NotePad.

Boot in safe mode, and run HijackThis and select these entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\system32\desktop.exe
O4 - HKCU\..\Run: [xjhidvf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [nxjecra] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [udrlpmk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bbmoxyi] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [enuufre] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xoxvrgq] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [emspdrf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yfsxwri] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [mcpjtvv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jyxqqdn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qxtdaoe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vmwqjth] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pefnljj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qgympvk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lirqvrx] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [vryhyxr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcgusij] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [kxcphlf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xqpvrbj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [poflijl] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rcsvfqp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [fvhwklt] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hniscxe] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [aiowdnp] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wyosirj] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [hpadwic] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qcrsuif] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [flxsaqm] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dtweidr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [pkiwjku] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yncacub] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ohtuopk] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [onsmgje] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wrsdogs] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [xtxnieg] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [lvopfpa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [gugbvmc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [ivgcxsd] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [yjyhcdy] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jhdqfro] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [qrdjosa] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [rvbmpjh] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [cxvmcxf] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wudnlnr] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [bchejhc] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [dcwvpfv] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [wxlvddn] c:\windows\utbkfgk.exe
O4 - HKCU\..\Run: [jilfogm] c:\windows\utbkfgk.exe

Close all other programs, and click "Fix Checked" in HijackThis.

Double-click on the file Remove.bat, a DOS type window should open and close by itself.

Run [/b]CWShredder[/b], and click "Fix".

Reboot to Normal Mode, and run HijackThis again and post a fresh log.

Taelia 0 Newbie Poster · Answer 7 · 2005-09-03T19:53:56+00:00

I already figured to remove it, it looked pretty suspicous, but, as HJT is pretty aggressive, Id just wait till you said me to, who knows whatcould happen. Anyway, fresh JT log, this looks fine now to me.

Logfile of HijackThis v1.99.1
Scan saved at 15:54:52, on 3-9-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis\HijackThis.exe
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125171625827
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125176828493
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

swatkat 14 Practically a Master Poster · Answer 8 · 2005-09-04T02:08:47+00:00

Hi,
Log looks clean :D If you have any problems regarding this spyware, please post back.

Win Min at turn off.

Recommended Answers Collapse Answers

All 11 Replies

Recommended Answers