Jump to content


Photo

please help me i've been hijacked by delwbi


  • Please log in to reply
6 replies to this topic

#1 melafefon

melafefon

    Member

  • New Member
  • Pip
  • 4 posts

Posted 20 June 2004 - 09:14 AM

hey, ive been attacked by this delwbi virus as a resolt of my stupit roomate who download porn stuff into my computer. i did erase it but now im stuck with this terible virus and dont know what to do. it keeps sending me scary massages and slow down my computer. i'll appresiate your help before it'll get worse. thanks.
ps: i have windows xp.
pss: i have some other problems like my home page keeps changing to my finder and some porn links stuck in my favorites but these problems are not new i have them for a couple of month.

Logfile of HijackThis v1.97.7
Scan saved at 15:44:17, on 20/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEengine.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\windows\system32\epmcmcwj.exe
C:\Documents and Settings\liat kraus\My Documents\My Received Files\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-finder.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-finder.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-finder.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-finder.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-finder.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.bezeqint.net:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CGNOTCHY] c:\windows\system32\cgnotchy.exe /install
O4 - HKLM\..\Run: [AZRTCFRH] c:\windows\system32\azrtcfrh.exe /install
O4 - HKLM\..\Run: [OUWWWPPA] c:\windows\system32\ouwwwppa.exe /install
O4 - HKLM\..\Run: [DJNWSPUV] c:\windows\system32\djnwspuv.exe /install
O4 - HKLM\..\Run: [SDKUNDMO] c:\windows\system32\sdkundmo.exe /install
O4 - HKLM\..\Run: [AGWBHIET] c:\windows\system32\agwbhiet.exe /install
O4 - HKLM\..\Run: [XHTRNPAX] c:\windows\system32\xhtrnpax.exe /install
O4 - HKLM\..\Run: [JIYLNQHY] c:\windows\system32\jiylnqhy.exe /install
O4 - HKLM\..\Run: [EPMCMCWJ] c:\windows\system32\epmcmcwj.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://17.sharedsour...onn_5.2.1.1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co....at/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4152E2BF-DAD6-488D-9489-B4A369AC27DD}: NameServer = 192.115.106.35 192.115.106.31[COLOR=blue]

Edited by melafefon, 24 June 2004 - 01:01 AM.


#2 melafefon

melafefon

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 12:54 AM

can anybody please help me?????????!!!!!!!! ive send this massage a week ago and while im waiting for a reply my computer is folling apart!!!!!!!! and i realy need it for my work. so if you can please please help me i will be greatfull.

#3 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 24 June 2004 - 05:05 AM

While I know it can be frustrating waiting for help; 3 days is a far cry from a week; none the less lets get you fixed up and back on line, shall we?

Please Download CWShredder from HERE .DON'T run it yet but have it ready for when you need it Please re-download if you already have this. Make sure you have the latest version!
Close everything and run Hijackthis then :
Press Ctrl+Alt+Del and 'end task' on any of the follow that are present
C:\Program Files\Internet Explorer\IEengine.exe
c:\windows\system32\epmcmcwj.exe

Put a check next to these in hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-finder.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-finder.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-finder.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-finder.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-finder.com/index.htm

O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [CGNOTCHY] c:\windows\system32\cgnotchy.exe /install
O4 - HKLM\..\Run: [AZRTCFRH] c:\windows\system32\azrtcfrh.exe /install
O4 - HKLM\..\Run: [OUWWWPPA] c:\windows\system32\ouwwwppa.exe /install
O4 - HKLM\..\Run: [DJNWSPUV] c:\windows\system32\djnwspuv.exe /install
O4 - HKLM\..\Run: [SDKUNDMO] c:\windows\system32\sdkundmo.exe /install
O4 - HKLM\..\Run: [AGWBHIET] c:\windows\system32\agwbhiet.exe /install
O4 - HKLM\..\Run: [XHTRNPAX] c:\windows\system32\xhtrnpax.exe /install
O4 - HKLM\..\Run: [JIYLNQHY] c:\windows\system32\jiylnqhy.exe /install
O4 - HKLM\..\Run: [EPMCMCWJ] c:\windows\system32\epmcmcwj.exe /install
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://17.sharedsour...onn_5.2.1.1.cab
THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-
c:\windows\system32\cgnotchy.exe
c:\windows\system32\azrtcfrh.exe
c:\windows\system32\ouwwwppa.exe
c:\windows\system32\djnwspuv.exe
c:\windows\system32\sdkundmo.exe
c:\windows\system32\agwbhiet.exe
c:\windows\system32\xhtrnpax.exe
c:\windows\system32\jiylnqhy.exe
c:\windows\system32\epmcmcwj.exe
C:\Program Files\Internet Explorer\IEengine.exe

You will have to search for the following files with Start>Search>Files and Folders:
internat.exe
Make sure you delete all instances of the files you find.

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"


Immediatly close HijackThis (and everything else) and run CWShredder

Next you'll need to turn off the System Restore. It may have a copy of the virus. This can be done by following the instructions of your OS at http://www.vet.com.a...tem_restore.htm.

Run an online virus scan at Housecall and/or Panda Online. Please note any virus found and report back with new log.

Now turn System Restore back on, then Reboot and post a fresh log back to this thread.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#4 melafefon

melafefon

    Member

  • New Member
  • Pip
  • 4 posts

Posted 24 June 2004 - 08:25 AM

thank you so much for your answer but unfortunatly before i got it i closed my comuter and when i re-opened it the problem multiplied itself!!!!!!!! and has taken over my computer!!!!!!
im so sorry to boder you again but i need you to look at this new logfile. i havent done any of your suggestions yet because the situation has changed: there are many many more tasks with random letters and my coputer is in a critical condition.
please go over this logfile again cause now it's truly argent.
tons of thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 16:04:25, on 24/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\cgnotchy.exe
C:\windows\system32\azrtcfrh.exe
C:\windows\system32\sdkundmo.exe
C:\windows\system32\tylhoxdx.exe
C:\windows\system32\gxryneov.exe
C:\windows\system32\nsykyerm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\xdxskhxo.exe
C:\windows\system32\eifbncwb.exe
C:\windows\system32\dsgluzhb.exe
C:\windows\system32\hwafkwfp.exe
C:\windows\system32\paruhpfq.exe
C:\windows\system32\lhawlepo.exe
C:\windows\system32\sntadmsh.exe
C:\windows\system32\qmjgrwxr.exe
C:\windows\system32\tmfdmcpj.exe
C:\windows\system32\jdjrbstm.exe
C:\windows\system32\uhtfaxwl.exe
C:\windows\system32\cvmvihkm.exe
C:\windows\system32\exkngwzk.exe
C:\windows\system32\nacgevrm.exe
C:\windows\system32\ugrjwiqw.exe
C:\windows\system32\yailaaxp.exe
C:\windows\system32\xmfnhhay.exe
C:\windows\system32\syrtnfhz.exe
C:\windows\system32\mgvltmro.exe
C:\windows\system32\zgomconm.exe
C:\windows\system32\anlmjffo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\liat kraus\My Documents\My Received Files\New Folder\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-finder.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-finder.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-finder.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-finder.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-finder.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CGNOTCHY] c:\windows\system32\cgnotchy.exe /install
O4 - HKLM\..\Run: [AZRTCFRH] c:\windows\system32\azrtcfrh.exe /install
O4 - HKLM\..\Run: [SDKUNDMO] c:\windows\system32\sdkundmo.exe /install
O4 - HKLM\..\Run: [AGWBHIET] c:\windows\system32\agwbhiet.exe /install
O4 - HKLM\..\Run: [XHTRNPAX] c:\windows\system32\xhtrnpax.exe /install
O4 - HKLM\..\Run: [JIYLNQHY] c:\windows\system32\jiylnqhy.exe /install
O4 - HKLM\..\Run: [SUQFFNAR] c:\windows\system32\suqffnar.exe /install
O4 - HKLM\..\Run: [TYLHOXDX] c:\windows\system32\tylhoxdx.exe /install
O4 - HKLM\..\Run: [EEDKOEWX] c:\windows\system32\eedkoewx.exe /install
O4 - HKLM\..\Run: [GXRYNEOV] c:\windows\system32\gxryneov.exe /install
O4 - HKLM\..\Run: [NSYKYERM] c:\windows\system32\nsykyerm.exe /install
O4 - HKLM\..\Run: [GLFYTZEZ] c:\windows\system32\glfytzez.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [XDXSKHXO] c:\windows\system32\xdxskhxo.exe /install
O4 - HKLM\..\Run: [EIFBNCWB] c:\windows\system32\eifbncwb.exe /install
O4 - HKLM\..\Run: [DSGLUZHB] c:\windows\system32\dsgluzhb.exe /install
O4 - HKLM\..\Run: [CVAPNHFO] c:\windows\system32\cvapnhfo.exe /install
O4 - HKLM\..\Run: [QDSVPOGE] c:\windows\system32\qdsvpoge.exe /install
O4 - HKLM\..\Run: [SFIHUEYO] c:\windows\system32\sfihueyo.exe /install
O4 - HKLM\..\Run: [HWAFKWFP] c:\windows\system32\hwafkwfp.exe /install
O4 - HKLM\..\Run: [PARUHPFQ] c:\windows\system32\paruhpfq.exe /install
O4 - HKLM\..\Run: [LXHADIRW] c:\windows\system32\lxhadirw.exe /install
O4 - HKLM\..\Run: [RFSIHWCR] c:\windows\system32\rfsihwcr.exe /install
O4 - HKLM\..\Run: [XIMEMWQB] c:\windows\system32\ximemwqb.exe /install
O4 - HKLM\..\Run: [DUJHMBHM] c:\windows\system32\dujhmbhm.exe /install
O4 - HKLM\..\Run: [UYQRENOI] c:\windows\system32\uyqrenoi.exe /install
O4 - HKLM\..\Run: [UXYGCUTR] c:\windows\system32\uxygcutr.exe /install
O4 - HKLM\..\Run: [UXVINGFL] c:\windows\system32\uxvingfl.exe /install
O4 - HKLM\..\Run: [VMYNKCOF] c:\windows\system32\vmynkcof.exe /install
O4 - HKLM\..\Run: [WYCOFDXU] c:\windows\system32\wycofdxu.exe /install
O4 - HKLM\..\Run: [PFQRYZBZ] c:\windows\system32\pfqryzbz.exe /install
O4 - HKLM\..\Run: [LHAWLEPO] c:\windows\system32\lhawlepo.exe /install
O4 - HKLM\..\Run: [ZYHHNDCJ] c:\windows\system32\zyhhndcj.exe /install
O4 - HKLM\..\Run: [EBAOIKRB] c:\windows\system32\ebaoikrb.exe /install
O4 - HKLM\..\Run: [TIIMVEHB] c:\windows\system32\tiimvehb.exe /install
O4 - HKLM\..\Run: [SNTADMSH] c:\windows\system32\sntadmsh.exe /install
O4 - HKLM\..\Run: [YRGWIMOS] c:\windows\system32\yrgwimos.exe /install
O4 - HKLM\..\Run: [HXDFPWRE] c:\windows\system32\hxdfpwre.exe /install
O4 - HKLM\..\Run: [ZQCECMMQ] c:\windows\system32\zqcecmmq.exe /install
O4 - HKLM\..\Run: [MIHAVRAT] c:\windows\system32\mihavrat.exe /install
O4 - HKLM\..\Run: [PCGOZDFY] c:\windows\system32\pcgozdfy.exe /install
O4 - HKLM\..\Run: [AGVSPEOT] c:\windows\system32\agvspeot.exe /install
O4 - HKLM\..\Run: [VFBKEDTI] c:\windows\system32\vfbkedti.exe /install
O4 - HKLM\..\Run: [QMJGRWXR] c:\windows\system32\qmjgrwxr.exe /install
O4 - HKLM\..\Run: [TMFDMCPJ] c:\windows\system32\tmfdmcpj.exe /install
O4 - HKLM\..\Run: [TOLKIJIG] c:\windows\system32\tolkijig.exe /install
O4 - HKLM\..\Run: [GFSPRJDR] c:\windows\system32\gfsprjdr.exe /install
O4 - HKLM\..\Run: [VHOMCFRM] c:\windows\system32\vhomcfrm.exe /install
O4 - HKLM\..\Run: [UMXLNBDM] c:\windows\system32\umxlnbdm.exe /install
O4 - HKLM\..\Run: [QFZMYYYJ] c:\windows\system32\qfzmyyyj.exe /install
O4 - HKLM\..\Run: [KSGOETVE] c:\windows\system32\ksgoetve.exe /install
O4 - HKLM\..\Run: [GIYJBAQO] c:\windows\system32\giyjbaqo.exe /install
O4 - HKLM\..\Run: [IRUVHIRR] c:\windows\system32\iruvhirr.exe /install
O4 - HKLM\..\Run: [JDJRBSTM] c:\windows\system32\jdjrbstm.exe /install
O4 - HKLM\..\Run: [QXUDOGKY] c:\windows\system32\qxudogky.exe /install
O4 - HKLM\..\Run: [FLGDJEOB] c:\windows\system32\flgdjeob.exe /install
O4 - HKLM\..\Run: [HOHPUZRU] c:\windows\system32\hohpuzru.exe /install
O4 - HKLM\..\Run: [SRXNCQNT] c:\windows\system32\srxncqnt.exe /install
O4 - HKLM\..\Run: [EMXZBYJR] c:\windows\system32\emxzbyjr.exe /install
O4 - HKLM\..\Run: [UHTFAXWL] c:\windows\system32\uhtfaxwl.exe /install
O4 - HKLM\..\Run: [RMIAQDSJ] c:\windows\system32\rmiaqdsj.exe /install
O4 - HKLM\..\Run: [CVMVIHKM] c:\windows\system32\cvmvihkm.exe /install
O4 - HKLM\..\Run: [EXKNGWZK] c:\windows\system32\exkngwzk.exe /install
O4 - HKLM\..\Run: [MWOBRDZJ] c:\windows\system32\mwobrdzj.exe /install
O4 - HKLM\..\Run: [PAPAMJWO] c:\windows\system32\papamjwo.exe /install
O4 - HKLM\..\Run: [NACGEVRM] c:\windows\system32\nacgevrm.exe /install
O4 - HKLM\..\Run: [PSPDZBJM] c:\windows\system32\pspdzbjm.exe /install
O4 - HKLM\..\Run: [TOMYJJVG] c:\windows\system32\tomyjjvg.exe /install
O4 - HKLM\..\Run: [UGRJWIQW] c:\windows\system32\ugrjwiqw.exe /install
O4 - HKLM\..\Run: [UQYHDQKT] c:\windows\system32\uqyhdqkt.exe /install
O4 - HKLM\..\Run: [YAILAAXP] c:\windows\system32\yailaaxp.exe /install
O4 - HKLM\..\Run: [XMFNHHAY] c:\windows\system32\xmfnhhay.exe /install
O4 - HKLM\..\Run: [FRZHIVZP] c:\windows\system32\frzhivzp.exe /install
O4 - HKLM\..\Run: [HRRBKQFP] c:\windows\system32\hrrbkqfp.exe /install
O4 - HKLM\..\Run: [UROFKHRH] c:\windows\system32\urofkhrh.exe /install
O4 - HKLM\..\Run: [SYRTNFHZ] c:\windows\system32\syrtnfhz.exe /install
O4 - HKLM\..\Run: [CDBDGXIR] c:\windows\system32\cdbdgxir.exe /install
O4 - HKLM\..\Run: [KMAMOJHO] c:\windows\system32\kmamojho.exe /install
O4 - HKLM\..\Run: [MGVLTMRO] c:\windows\system32\mgvltmro.exe /install
O4 - HKLM\..\Run: [ZGOMCONM] c:\windows\system32\zgomconm.exe /install
O4 - HKLM\..\Run: [ANLMJFFO] c:\windows\system32\anlmjffo.exe /install
O4 - HKLM\..\Run: [GWGNBEDD] c:\windows\system32\gwgnbedd.exe /install
O4 - HKLM\..\Run: [FDOABDAR] c:\windows\system32\fdoabdar.exe /install
O4 - HKLM\..\Run: [CUWUHARH] c:\windows\system32\cuwuharh.exe /install
O4 - HKLM\..\Run: [FVOMBKNJ] c:\windows\system32\fvombknj.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://17.sharedsour...onn_5.2.1.1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co....at/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4152E2BF-DAD6-488D-9489-B4A369AC27DD}: NameServer = 192.115.106.35 192.115.106.31

#5 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 26 June 2004 - 02:21 PM

Run CWShredder if you haven't already.

Do you have a Restore Point from before this disaster?
Start->All Programs->Accessories->System Tools->System Restore.
Tick "Restore my computer to an earlier time", then click Next and look at the calendar for available Restore Points.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#6 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 26 June 2004 - 09:50 PM

First I want to thanks cnm for the follow-up for you; I've been having some every bad connection problem for the past few day.

In addition to running CWShredder, let's do a couple more things to get your log a little more "manageable"

Most of those 04 entries in your log are virus/trojan related so again it's imperative to run an online virus scan at Housecall and/or Panda Online.

Now download Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
- On the main AdAware screen hit the Check for Updates, hit the 'Connect' key; it will then connect, check for then ask if you want to download latest Ref. files (if one is available), accept. Once downloaded hit "Finish" (Green Checkmark)

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

Go here download Spybot S&D. Install Spybot, close all other windows and run it. [b]ALWAYS[b] use the search for update button when you first open Spybot. Let Spybot download and install any updates it finds..Now you are ready to click the Check for problems button. Let Spybot fix any entries marked in RED

After ALL of the above post a new Hijack this log back to this thread.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#7 melafefon

melafefon

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 12:16 PM

thank you so much for your help, my computer is alot better now.
i hope ive terminated all my problems but just to make sure im sending you my new log file. thanks again.
ps:
the only thing that still bother me though is that when i open my window task massanger and look into the performance the cpu usage keeps jumping from 0% to very high numbers, is this a bad sigh for something or not?

Logfile of HijackThis v1.97.7
Scan saved at 18:46:52, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Ahead\Nero\nero.exe
C:\Documents and Settings\liat kraus\My Documents\My Received Files\New Folder\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co....at/launcher.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button