Jump to content


Photo

Wtoolsa and variants appearing :(


  • This topic is locked This topic is locked
5 replies to this topic

#1 phylum_sinter

phylum_sinter

    Member

  • New Member
  • Pip
  • 3 posts

Posted 24 July 2004 - 03:54 AM

Hello Kind Folks,

I found your forums by googling Wtools... it appears i'm not the only one having difficulty removing this annoying process. I'm also a bit leary on a process called jqiguh.exe ... it's using 11.2mb of memory and i don't recall it being there before. Please help!

I've already ran Spybot and Ad-aware. Here is my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 4:43:14 AM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sfpsvr.exe
C:\WINDOWS\System32\gmhrap.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\System32\jqiguh.exe
C:\WINDOWS\System32\asyivas.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christopher Todd\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metafilter.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48AD6F56-9B10-5596-8320-125505AE2E1A} - C:\WINDOWS\System32\hkvivas.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Christopher Todd\Local Settings\Temp\mjFBl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [QyRQ] C:\documents and settings\christopher todd\local settings\temp\QyRQ.exe
O4 - HKLM\..\Run: [rgdudmuvw] C:\WINDOWS\System32\gmhrap.exe
O4 - HKLM\..\Run: [fv] C:\documents and settings\christopher todd\local settings\temp\fv.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Rydo84k.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [x32U3mj] appnstnt.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [Wusa] C:\WINDOWS\System32\jqiguh.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [g0t8RgH9g] asyivas.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8144.1859027778
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab

Many thanks for your assistance :)

#2 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 24 July 2004 - 08:43 AM

Hi, phylum sinter,
Not only do you have WinTools, but you also have the Peper Trojan.

Enable the “Show Hidden Folders” option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Download the Peper Fix here:http://www.subratam.org/?page=removal.
Make sure you are connected to the net and run it.
If asked by your firewall for permission to access the net, please grant permission.
Reboot and run it a second time while connected to the net.

Reboot.

Open Task Manager (Ctrl+Alt+Delete) close as many of the Wintools processes that you can see listed such as:
WToolsA.exe
WToolsS.exe
WSup.exe

Then go to Add/Remove Programs and remove Wintools.

Reboot into Safemode this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Search for these and delete them if they still exist:
C:\WINDOWS\System32\SWin32.dll <-file
C:\Program Files\Common Files\WinTools\WToolsA.exe <-Wintools folder with file
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll <-Wintools folder with file

Reboot normally.

Run Adaware and Spybot.

Then do an online virus scan: Housecall: http://www.trendmicr.../enterprise.htm

Reboot normally.

Please post a new HijackThis log so we can continue with cleanup. Thanks.

Edited by Bugbatter, 24 July 2004 - 08:44 AM.

Microsoft MVP - Consumer Security

#3 phylum_sinter

phylum_sinter

    Member

  • New Member
  • Pip
  • 3 posts

Posted 24 July 2004 - 05:30 PM

Hello Bugbatter,

I've done as you've instructed.

The Peper fix found no infected files.
Wintools was removed without hassle, and left no files or folders to manually delete.
Ad-aware found no new malware.
Spybot found 5 entries of one type that were removed, i can't remember the name.
Housecall found two files with a variation of the name 'Alchemic'. They were unfixable, and deleted.

Here is my latest HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 6:25:59 PM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sfpsvr.exe
C:\documents and settings\christopher todd\local settings\temp\QyRQ.exe
C:\WINDOWS\System32\gmhrap.exe
C:\documents and settings\christopher todd\local settings\temp\fv.exe
C:\WINDOWS\System32\appnstnt.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\System32\jqiguh.exe
C:\WINDOWS\System32\asyivas.exe
C:\Documents and Settings\Christopher Todd\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metafilter.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48AD6F56-9B10-5596-8320-125505AE2E1A} - C:\WINDOWS\System32\hkvivas.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Christopher Todd\Local Settings\Temp\I2jOEAE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [QyRQ] C:\documents and settings\christopher todd\local settings\temp\QyRQ.exe
O4 - HKLM\..\Run: [rgdudmuvw] C:\WINDOWS\System32\gmhrap.exe
O4 - HKLM\..\Run: [fv] C:\documents and settings\christopher todd\local settings\temp\fv.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Rydo84k.exe
O4 - HKLM\..\Run: [x32U3mj] appnstnt.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [Wusa] C:\WINDOWS\System32\jqiguh.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [g0t8RgH9g] asyivas.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8144.1859027778
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab

Thanks for your help so far :)

#4 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 24 July 2004 - 09:29 PM

The Peper Trojan is still in your log along with all its files.:gasp:
Try Peper Fix again according to the specific instructions.
**Note:To complete each stage of the Peper removal you need to REBOOT to clear the Peper infection each time you run the tool, or the infection will remain.

If it does not find it, download Trojan Hunter. It will tell you where the bad files are so that you can delete them. Download a free trial version of TrojanHunter here: http://www.trojanhunter.com/
If that does not work, we'll just have to take out what we can see so far. :hmmm:

Reboot.

Please download an updated (version 1.98) HJT.
Download HijackThis to its own permanent folder.
http://www.spywarein.../HijackThis.exe
If that link is not working, extract from http://www.downloads.../hijackthis.zip
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.
Double-click on the .exe to scan.
Please post a HijackThis log.. After Scan, the Scan button changes to Save Log. Click that, save it somewhere. Do Ctrl-A to Select all, and then copy and paste it here.
There is plenty there that still needs to come out!

Edited by Bugbatter, 24 July 2004 - 10:38 PM.

Microsoft MVP - Consumer Security

#5 phylum_sinter

phylum_sinter

    Member

  • New Member
  • Pip
  • 3 posts

Posted 25 July 2004 - 09:11 PM

Bugbatter,

I've downloaded the latest HijackThis and Trojanhunter.
Trojanhunter did find one definite trojan and two possible entries. I deleted the definite one.

Here's my latest HijackThis Log:

Logfile of HijackThis v1.98.0
Scan saved at 10:00:35 PM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Documents and Settings\Christopher Todd\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metafilter.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48AD6F56-9B10-5596-8320-125505AE2E1A} - C:\WINDOWS\System32\hkvivas.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Christopher Todd\Local Settings\Temp\m.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [QyRQ] C:\documents and settings\christopher todd\local settings\temp\QyRQ.exe
O4 - HKLM\..\Run: [rgdudmuvw] C:\WINDOWS\System32\gmhrap.exe
O4 - HKLM\..\Run: [fv] C:\documents and settings\christopher todd\local settings\temp\fv.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Rydo84k.exe
O4 - HKLM\..\Run: [x32U3mj] appnstnt.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [Wusa] C:\WINDOWS\System32\jqiguh.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [g0t8RgH9g] asyivas.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab

I wish i could figure out just where/how these things got in my system. Thanks so much for your continued help.

#6 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 26 July 2004 - 12:24 PM

Good work! It is nice to know that we are making progress.
Don't forget: HJT needs to be in a folder of its own where it can save backups. If want to keep it on your desktop, do this:
Rightclick on an empty space on your desktop and choose New > Folder
Name it HijackThis (HJT, or whatever)
Rightclick HijackThis.exe, choose Cut.
Doubleclick (to open) the folder you created.
Rightclick inside and choose Paste.

Close these in Task Manager (Ctrl+Alt+Delete) IF listed:
sfpsvr.exe
QyRQ.exe
appnstnt.exe
jqiguh.exe
asyivas.exe
ms.exe (or "MAXSPEED")



Open HJT and tick to fix these entries:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {48AD6F56-9B10-5596-8320-125505AE2E1A} - C:\WINDOWS\System32\hkvivas.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Christopher Todd\Local Settings\Temp\I2jOEAE.dll
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [QyRQ] C:\documents and settings\christopher todd\local settings\temp\QyRQ.exe
O4 - HKLM\..\Run: [rgdudmuvw] C:\WINDOWS\System32\gmhrap.exe
O4 - HKLM\..\Run: [fv] C:\documents and settings\christopher todd\local settings\temp\fv.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Rydo84k.exe
O4 - HKLM\..\Run: [x32U3mj] appnstnt.exe
O4 - HKCU\..\Run: [Wusa] C:\WINDOWS\System32\jqiguh.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [g0t8RgH9g] asyivas.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter/insta...00/SYSsfitb.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


Reboot into Safemode this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Search for these files and delete them:
C:\WINDOWS\System32\hkvivas.dll <-file
C:\Documents and Settings\Christopher Todd\Local Settings\Temp\I2jOEAE.dll <-file
C:\WINDOWS\system32\sfpsvr.exe <-file
C:\documents and settings\christopher todd\local settings\temp\QyRQ.exe <-file
C:\WINDOWS\System32\gmhrap.exe <-file
C:\documents and settings\christopher todd\local settings\temp\fv.exe <-file
C:\WINDOWS\System32\dp-him.exe <-file
C:\WINDOWS\System32\Rydo84k.exe <-file
C:\WINDOWS\System32\jqiguh.exe <-file
C:\Program Files\DR_S\DR_S.exe <-folder and file
C:\WINDOWS\System32\ms.exe <-file


Reboot.
Empty your Temporary Internet Files and history in Internet Options. And clean out your
%Userprofile%\Local Settings\Temp (must be done for all XP users)

OR: Use the Disk Cleanup Utility to empty all your Temp folders

After something like this it is a good idea to purge the Restore Points and start fresh.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

Please post a fresh log for review, and let me know if the problems are gone. Thanks!

Edited by Bugbatter, 26 July 2004 - 12:37 PM.

Microsoft MVP - Consumer Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button