Windows hijacked by dodgy apps - Page 2

Phil64 · 09-Jul-2006, 11:21 AM **#16**

OK, so here is the Activescan log:

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\khfggdd.dll
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\khatri\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Adware:adware/wupd Not disinfected c:\program files\MediaGateway
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:adware/comet Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\khatri\Cookies\khatri@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\khatri\Cookies\khatri@doubleclick[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\khatri\Cookies\khatri@stats1.reliablestats[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\khatri\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\khatri\Local Settings\Temporary Internet Files\Content.IE5\JN9CKQQ2\SysProtectScannerInstall[1].exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\khatri\Local Settings\Temporary Internet Files\Content.IE5\PA706BZ8\WinAntiVirusPro2006FreeInstall[1].exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\LocalService\Cookies\system@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\LocalService\Cookies\system@888[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\LocalService\Cookies\system@cassava[1].txt
Adware:Adware/DollarRevenue Not disinfected C:\lmh12.exe[DWINSTALL329.bat]
Adware:Adware/Maxifiles Not disinfected C:\lmh12.exe[mc-110-12-0000216.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\lmh12.exe[mmx0wn3.exe]
Adware:Adware/DollarRevenue Not disinfected C:\lmh12.exe[drsmartload408a.exe]
Adware:Adware/DollarRevenue Not disinfected C:\shine.exe[DWINSTALL329.bat]
Adware:Adware/Maxifiles Not disinfected C:\shine.exe[mc-110-12-0000216.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\shine.exe[mmx0wn3.exe]
Adware:Adware/DollarRevenue Not disinfected C:\shine.exe[drsmartload408a.exe]
Adware:Adware/CommAd Not disinfected C:\WINDOWS\a2hhdHJp\uZ11xJLD.vbs
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\DWINSTALL329.bat
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\RESTORE.INS[C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\system\RESTORE.INS[C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE]
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gebxxxy.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nnnnoop.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\opnkkhf.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\system32\stera.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yaywtts.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yayxwus.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yayxxuu.dll

Cheers
Phil

Phil64 · 09-Jul-2006, 11:28 AM **#17**

And finally, the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:01, on 09/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [kxm8fbbd] RUNDLL32.EXE w0057584.dll,n 0018fbbc0000000a0057584
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] mclgnyeoqj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Pldo] "C:\PROGRA~1\PPATCH~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [Ihdz] C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE
O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\COMMON~1\rmkw\rmkwm.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147983702001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151692057018
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: antivirus - Unknown owner - C:\WINDOWS\antivirusguard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Additional information:

Just for additional information, after running the Ewido scan, Windows started to report an error loading the file w0057584.dll at start-up, stating that "the specified module could not be found".

I don't know whether this is a genuine Windows file that has been infected and therefore quarantined, or whether it belonged to one of the malware apps that have not yet been removed.

Also, I am still getting pop-ups trying to install Winantivirus Pro 2006 and Sysprotect.

Thanks again for your help
Phil

**Cheeseball81** · 10-Jul-2006, 01:34 AM **#18**

* Click here to download KillBox.

Save it to your desktop.
DO NOT run it yet.

Download and run VundoFix: http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HijackThis log.

Phil64 · 10-Jul-2006, 03:05 PM **#19**

OK, another job done and logs below:

vundofix

VundoFix V5.1.1

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.3

Scan started at 18:47:38 10/07/2006

Listing files found while scanning....

C:\windows\system32\byxyawt.dll
C:\windows\system32\efcbaby.dll
C:\windows\system32\gebcbby.dll
C:\windows\system32\gebxxxy.dll
C:\windows\system32\iifcaba.dll
C:\windows\system32\iifdayy.dll
C:\windows\system32\khfggdd.dll
C:\windows\system32\ljjgfca.dll
C:\windows\system32\mljjhgd.dll
C:\windows\system32\nnnnoop.dll
C:\windows\system32\opnkkhf.dll
C:\windows\system32\opnligh.dll
C:\windows\system32\rqrqnoo.dll
C:\windows\system32\rqrqpqr.dll
C:\windows\system32\ssqqoom.dll
C:\windows\system32\ssqqrqo.dll
C:\windows\system32\tuvuvsq.dll
C:\windows\system32\urqnn.dll
C:\windows\system32\nnqru.ini
C:\windows\system32\nnqru.bak2
C:\windows\system32\nnqru.ini2
C:\windows\system32\nnqru.tmp
C:\windows\system32\wvusrrr.dll
C:\windows\system32\yaywtts.dll
C:\windows\system32\yayxwus.dll
C:\windows\system32\yayxxuu.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\byxyawt.dll
C:\windows\system32\byxyawt.dll Has been deleted!

Attempting to delete C:\windows\system32\efcbaby.dll
C:\windows\system32\efcbaby.dll Has been deleted!

Attempting to delete C:\windows\system32\gebcbby.dll
C:\windows\system32\gebcbby.dll Has been deleted!

Attempting to delete C:\windows\system32\gebxxxy.dll
C:\windows\system32\gebxxxy.dll Has been deleted!

Attempting to delete C:\windows\system32\iifcaba.dll
C:\windows\system32\iifcaba.dll Has been deleted!

Attempting to delete C:\windows\system32\iifdayy.dll
C:\windows\system32\iifdayy.dll Has been deleted!

Attempting to delete C:\windows\system32\khfggdd.dll
C:\windows\system32\khfggdd.dll Has been deleted!

Attempting to delete C:\windows\system32\ljjgfca.dll
C:\windows\system32\ljjgfca.dll Has been deleted!

Attempting to delete C:\windows\system32\mljjhgd.dll
C:\windows\system32\mljjhgd.dll Has been deleted!

Attempting to delete C:\windows\system32\nnnnoop.dll
C:\windows\system32\nnnnoop.dll Has been deleted!

Attempting to delete C:\windows\system32\opnkkhf.dll
C:\windows\system32\opnkkhf.dll Has been deleted!

Attempting to delete C:\windows\system32\opnligh.dll
C:\windows\system32\opnligh.dll Has been deleted!

Attempting to delete C:\windows\system32\rqrqnoo.dll
C:\windows\system32\rqrqnoo.dll Has been deleted!

Attempting to delete C:\windows\system32\rqrqpqr.dll
C:\windows\system32\rqrqpqr.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqqoom.dll
C:\windows\system32\ssqqoom.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqqrqo.dll
C:\windows\system32\ssqqrqo.dll Has been deleted!

Attempting to delete C:\windows\system32\tuvuvsq.dll
C:\windows\system32\tuvuvsq.dll Has been deleted!

Attempting to delete C:\windows\system32\urqnn.dll
C:\windows\system32\urqnn.dll Has been deleted!

Attempting to delete C:\windows\system32\nnqru.ini
C:\windows\system32\nnqru.ini Has been deleted!

Attempting to delete C:\windows\system32\nnqru.bak2
C:\windows\system32\nnqru.bak2 Has been deleted!

Attempting to delete C:\windows\system32\nnqru.ini2
C:\windows\system32\nnqru.ini2 Has been deleted!

Attempting to delete C:\windows\system32\nnqru.tmp
C:\windows\system32\nnqru.tmp Has been deleted!

Attempting to delete C:\windows\system32\wvusrrr.dll
C:\windows\system32\wvusrrr.dll Has been deleted!

Attempting to delete C:\windows\system32\yaywtts.dll
C:\windows\system32\yaywtts.dll Has been deleted!

Attempting to delete C:\windows\system32\yayxwus.dll
C:\windows\system32\yayxwus.dll Has been deleted!

Attempting to delete C:\windows\system32\yayxxuu.dll
C:\windows\system32\yayxxuu.dll Has been deleted!

Performing Repairs to the registry.
Done!

hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 18:58:07, on 10/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\sllights.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\khfggdd.dll (file missing)
O2 - BHO: (no name) - {DD8E4C55-280A-43DB-83B3-484E36EA43AC} - C:\WINDOWS\System32\urqnn.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [kxm8fbbd] RUNDLL32.EXE w0057584.dll,n 0018fbbc0000000a0057584
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [PCguard] C:\Program Files\blueyonder\PCguard\Rps.exe
O4 - HKLM\..\RunServices: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] mclgnyeoqj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Pldo] "C:\PROGRA~1\PPATCH~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [Ihdz] C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE
O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\COMMON~1\rmkw\rmkwm.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147983702001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151692057018
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: antivirus - Unknown owner - C:\WINDOWS\antivirusguard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Cheers
Phil

**Cheeseball81** · 10-Jul-2006, 06:02 PM **#20**

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\khfggdd.dll (file missing)

O2 - BHO: (no name) - {DD8E4C55-280A-43DB-83B3-484E36EA43AC} - C:\WINDOWS\System32\urqnn.dll (file missing)

O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [Microsoft Windows AntiVirus] yrxhijfwscx.exe

O4 - HKLM\..\Run: [kxm8fbbd] RUNDLL32.EXE w0057584.dll,n 0018fbbc0000000a0057584

O4 - HKLM\..\RunServices: [Microsoft Windows AntiVirus] yrxhijfwscx.exe

O4 - HKLM\..\RunServices: [Windows Recylinder Check] mclgnyeoqj.exe

O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKCU\..\Run: [Pldo] "C:\PROGRA~1\PPATCH~1\msconfig.exe" -vt yazr

O4 - HKCU\..\Run: [Ihdz] C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE

O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\COMMON~1\rmkw\rmkwm.exe

O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM

Close Hijack This and boot into Safe Mode.

* Double click on Killbox.exe to run it.

Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

C:\Program Files\SpywareBot\
C:\WINDOWS\system32\yrxhijfwscx.exe
C:\WINDOWS\system32\w0057584.dll
C:\WINDOWS\system32\mclgnyeoqj.exe
C:\PROGRAM FILES\PPATCH~1\
C:\DOCUMENTS AND SETTINGS\khatri\APPLICATION DATA\SSTEM~1\
C:\PROGRAM FILES\COMMON FILES\rmkw\rmkwm.exe
C:\Documents and Settings\khatri\Local Settings\Temporary Internet Files\Ssk.log
c:\program files\MediaGateway
C:\lmh12.exe
C:\shine.exe
C:\WINDOWS\a2hhdHJp\
C:\WINDOWS\DWINSTALL329.bat
C:\WINDOWS\system32\stera.exe
C:\Program Files\ToolBar888\

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to Tools > Delete Temp Files
In the window that pops up, put a check by ALL the options there except these three:
XP Prefetch
Recent
History
Now click the Delete Selected Temp Files button.
Exit the Killbox.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new Hijack This log.

Phil64 · 10-Jul-2006, 07:05 PM **#21**

Yet another job done, along with the associated Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 22:51:47, on 10/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\sllights.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\blueyonder\PCguard\PrtlAgt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [PCguard] C:\Program Files\blueyonder\PCguard\Rps.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147983702001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151692057018
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: antivirus - Unknown owner - C:\WINDOWS\antivirusguard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Cheers
Phil

**Cheeseball81** · 10-Jul-2006, 09:52 PM **#22**

Fix this entry as well:

O23 - Service: antivirus - Unknown owner - C:\WINDOWS\antivirusguard.exe (file missing)

How are things now?

Phil64 · 11-Jul-2006, 03:13 AM **#23**

Well it looked OK when I conected the computer briefly to the internet - no pop-ups, etc.

But there is still a short cut in the control panel to Win antivirus Pro 2006 that doesn't seen to want to go. Also, there is still an entry in the Hijack file that concerns me:

O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s

Is this a genuine app or do we have more work?

Cheers
Phil

**Cheeseball81** · 11-Jul-2006, 01:59 PM **#24**

You can fix that one. It's most likely dodgy.

Are you able to remove the shortcut in Safe Mode?

Phil64 · 11-Jul-2006, 02:22 PM **#25**

Can't delete it, no and I can't view its properties either.

As far as repairregistrypro.exe, do I just use HJT or do I need to run kiilbox as well?

Cheers
Phil

**Cheeseball81** · 11-Jul-2006, 02:24 PM **#26**

Use Hijack This to fix the entry. Then delete this folder: C:\Program Files\Repair Registry Pro

Run Hijack This and click Open the Misc Tools section.
Click Open Uninstall Manager > Save list and save the log to your Desktop.
A list of programs will open in Notepad. Post the contents of this log.

Phil64 · 11-Jul-2006, 02:53 PM **#27**

OK I have fixed the entry, but the folder does not exist (have temporily set explorer to show all hidden / system files and it still doesn't show). Maybe we caught the app earlier.

Anyway, here is the log file:

Ad-Aware SE Personal
BlueSoleil
blueyonder Instant Support Tool
blueyonder PCguard
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Image Clip Palette
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX3800 User's Guide
ewido anti-spyware 4.0
FinePixViewer Ver.4.0
FUJIFILM USB Driver
Hijackthis 1.99.1
HijackThis 1.99.1
ImageMixer VCD for FinePix
J2SE Runtime Environment 5.0 Update 3
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Word 2002
Microsoft XML Parser and SDK
Nero Media Player
Nero OEM
NeroVision Express 2
Panda ActiveScan
PCguard advisor 1.3.22
PIF DESIGNER
PowerDVD
RAW FILE CONVERTER LE
Spybot - Search & Destroy 1.4
VERITAS RecordNow DX
Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817606
Windows XP Service Pack 1a

Just a thought, a problem I intend to sort later is the fact that the system keeps trying to install Word 2002 (it used to be on but was incorrectly uninstalled by someone else). Can I use this feature of HJT to get rid of any remaining files, etc.?

Cheers
Phil

**Cheeseball81** · 11-Jul-2006, 03:58 PM **#28**

Have you tried just uninstalling Microsoft Word 2002 from Add/Remove Programs?

Phil64 · 11-Jul-2006, 04:15 PM **#29**

It isn't listed and the Word 2000 folder has gone - it's just that the Windows instaler dialog keeps popping up and trying to install it every time you switch on and every time you try to do anything else, but of course the app is not there to install and the owner does not have the install disks.

Anyway, that's not a priority right now, I just noticed the options in HJT and thought I would ask the question for later on when we're sure the virus / spyware problems are all sorted.

Cheers
Phil

**Cheeseball81** · 11-Jul-2006, 09:47 PM **#30**

Odd because it shows in the Uninstall log.
You can delete that entry from the Uninstall Manager using Hijack This.

Tag Cloud
access acer asus batch bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop lcd malware memory monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!