1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Administrative controls taken over, internet connection issues, and pop ups.

Discussion in 'Virus & Other Malware Removal' started by DaveyHux, Sep 21, 2008.

Thread Status:
Not open for further replies.
  1. DaveyHux

    DaveyHux Thread Starter

    Sep 21, 2008
    I don't use any spyware protection on my computer simply because I've never had many problems with computers before, but I've been recently letting people use my computer while away at work. Wednesday when I got home my computer has been infected with something from an outside program that was downloaded but I'm not sure where from.

    First off, there are pop ups everywhere, and they usually have to do with notifications of spyware infection and telling me to download whatever protection, these come up every 30 seconds or so though, and there are variations of them.

    Many of my administrative controls seem to be taken away (on my administrative account) including the task manager. Icons for porn and other strange things are randomly appearing on my desktop and returning when I delete them. To top it all off, my internet is acting very faulty and tends to only load a page when I've refreshed over and over again.

    I've downloaded SpyBot, as suggested by a friend, to try and get rid of my infection and it deletes all but a few files. Unfortunately nothing is fixed when i reboot my computer. One of the files SpyBot fails to delete is a folder called privacy_danger.

    I use a Dell Dimension 4500 running Windows XP Home SP3.

    Logfile is as follows:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:33:25 PM, on 9/21/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\Documents and Settings\All Users\Application Data\hytubyxq\zytelity.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
    C:\Program Files\PCHealthCenter\5.exe
    C:\Program Files\MicroAV\MicroAV.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
    O1 - Hosts: game01.us.segaonline.jp
    O2 - BHO: C:\WINDOWS\system32\gjm86akm34.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll
    O3 - Toolbar: fqbewlna - {F63CB648-B3AB-4001-A96B-324CE8B2F52C} - C:\WINDOWS\fqbewlna.dll (file missing)
    O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O5 "LPT1:" /M "Stylus C86"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [NI.UWFX5] "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\M7MNWLW3\WinFixer2005ScannerInstall[1].exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
    O4 - HKLM\..\Run: [d49559cc] rundll32.exe "C:\WINDOWS\system32\hqmweadh.dll",b
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogen.exe
    O4 - HKLM\..\Run: [Cpl32ver] C:\WINDOWS\System32\Cpl32ver.exe
    O4 - HKLM\..\Run: [\YURDB.exe] C:\Windows\system32\YURDB.exe
    O4 - HKLM\..\Run: [\YURDC.exe] C:\Windows\system32\YURDC.exe
    O4 - HKLM\..\Run: [\YURDD.exe] C:\Windows\system32\YURDD.exe
    O4 - HKLM\..\Run: [\YURE1.exe] C:\Windows\system32\YURE1.exe
    O4 - HKLM\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
    O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
    O4 - HKLM\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
    O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
    O4 - HKLM\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
    O4 - HKLM\..\Run: [\YUR1E.exe] C:\Windows\system32\YUR1E.exe
    O4 - HKLM\..\Run: [\YUR1F.exe] C:\Windows\system32\YUR1F.exe
    O4 - HKLM\..\Run: [\YUR20.exe] C:\Windows\system32\YUR20.exe
    O4 - HKLM\..\Run: [\YUR21.exe] C:\Windows\system32\YUR21.exe
    O4 - HKLM\..\Run: [\YUR53.exe] C:\Windows\system32\YUR53.exe
    O4 - HKLM\..\Run: [\YUR54.exe] C:\Windows\system32\YUR54.exe
    O4 - HKLM\..\Run: [\YUR55.exe] C:\Windows\system32\YUR55.exe
    O4 - HKLM\..\Run: [\YUR56.exe] C:\Windows\system32\YUR56.exe
    O4 - HKLM\..\Run: [\YUR5A.exe] C:\Windows\system32\YUR5A.exe
    O4 - HKLM\..\Run: [\YUR1.exe] C:\Windows\system32\YUR1.exe
    O4 - HKLM\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
    O4 - HKLM\..\Run: [lphc5ncj0ea0a] C:\WINDOWS\system32\lphc5ncj0ea0a.exe
    O4 - HKLM\..\Run: [inrhc1ncj0ea0a] C:\WINDOWS\Temp\.tt15.tmp.exe /CR=34015803198DE9F11EE8495C41DD2D887E4BDF374233F39A82B7392F6C6B2974E2C1626380365A934D90237542FEAFF7318BE3ED5D17AA577B13FFFEE4786FC79E7AA58728EAD3ADF49F7862C462F4B6FCE6EC
    O4 - HKLM\..\Run: [SMrhc1ncj0ea0a] C:\Program Files\rhc1ncj0ea0a\rhc1ncj0ea0a.exe
    O4 - HKLM\..\Run: [\YUR1A.exe] C:\Windows\system32\YUR1A.exe
    O4 - HKLM\..\Run: [\YUR1B.exe] C:\Windows\system32\YUR1B.exe
    O4 - HKLM\..\Run: [\YUR30.exe] C:\Windows\system32\YUR30.exe
    O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
    O4 - HKLM\..\Run: [\YUR31.exe] C:\Windows\system32\YUR31.exe
    O4 - HKLM\..\Run: [\YUR38.exe] C:\Windows\system32\YUR38.exe
    O4 - HKLM\..\Run: [\YUR3A.exe] C:\Windows\system32\YUR3A.exe
    O4 - HKLM\..\Run: [\YUR5E.exe] C:\Windows\system32\YUR5E.exe
    O4 - HKLM\..\Run: [\YUR5D.exe] C:\Windows\system32\YUR5D.exe
    O4 - HKLM\..\Run: [\YUR5F.exe] C:\Windows\system32\YUR5F.exe
    O4 - HKLM\..\Run: [\YUR60.exe] C:\Windows\system32\YUR60.exe
    O4 - HKLM\..\Run: [\YUR64.exe] C:\Windows\system32\YUR64.exe
    O4 - HKLM\..\Run: [\YURC.exe] C:\Windows\system32\YURC.exe
    O4 - HKLM\..\Run: [\YURD.exe] C:\Windows\system32\YURD.exe
    O4 - HKLM\..\Run: [\YURE.exe] C:\Windows\system32\YURE.exe
    O4 - HKLM\..\Run: [\YUR10.exe] C:\Windows\system32\YUR10.exe
    O4 - HKLM\..\Run: [\YUR19.exe] C:\Windows\system32\YUR19.exe
    O4 - HKLM\..\Run: [\YURF.exe] C:\Windows\system32\YURF.exe
    O4 - HKCU\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogen.exe
    O4 - HKCU\..\Run: [\YUR5E.exe] C:\Windows\system32\YUR5E.exe
    O4 - HKCU\..\Run: [\YUR5D.exe] C:\Windows\system32\YUR5D.exe
    O4 - HKCU\..\Run: [\YUR5F.exe] C:\Windows\system32\YUR5F.exe
    O4 - HKCU\..\Run: [\YUR60.exe] C:\Windows\system32\YUR60.exe
    O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Dave\LOCALS~1\Temp\csrssc.exe
    O4 - HKCU\..\Run: [ActSrvCmd] C:\WINDOWS\system32\lkxslitc.exe
    O4 - HKCU\..\Run: [\YUR64.exe] C:\Windows\system32\YUR64.exe
    O4 - HKCU\..\Run: [\YURC.exe] C:\Windows\system32\YURC.exe
    O4 - HKCU\..\Run: [\YURD.exe] C:\Windows\system32\YURD.exe
    O4 - HKCU\..\Run: [\YURE.exe] C:\Windows\system32\YURE.exe
    O4 - HKCU\..\Run: [\YUR10.exe] C:\Windows\system32\YUR10.exe
    O4 - HKCU\..\Run: [\YUR19.exe] C:\Windows\system32\YUR19.exe
    O4 - HKCU\..\Run: [\YURF.exe] C:\Windows\system32\YURF.exe
    O4 - HKLM\..\Policies\Explorer\Run: [kjuaUD8j1A] C:\Documents and Settings\All Users\Application Data\hytubyxq\zytelity.exe
    O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1111141423720
    O16 - DPF: {83EF1847-D835-490B-8D9D-90B2987D66E8} - http://pictures.aolcdn.com/ap/Resources/
    O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak06.pictures.aol.com/ygp/aol/plugin/upf/YGPUPF.en-US.
    O16 - DPF: {A97B2058-825A-4B18-93CE-1483855578D1} - http://pictures.aolcdn.com/ap/Resources/
    O20 - Winlogon Notify: 10 - C:\WINDOWS\system32\10.tmp (file missing)
    O20 - Winlogon Notify: efcYSJaW - efcYSJaW.dll (file missing)
    O20 - Winlogon Notify: iifgHwuu - iifgHwuu.dll (file missing)
    O20 - Winlogon Notify: imod3 - C:\WINDOWS\SYSTEM32\imod3.dll
    O20 - Winlogon Notify: ouvtmk - C:\WINDOWS\SYSTEM32\ouvtmk.dll
    O21 - SSODL: genutil - {6AF517FA-FCCC-CF95-697F-06F3DF06BAFE} - C:\Program Files\gtfadkd\genutil.dll
    O21 - SSODL: dtseqrxk - {2A769463-5DB3-4E7D-A821-A7DA554E57D2} - C:\WINDOWS\dtseqrxk.dll (file missing)
    O21 - SSODL: mgxfebsq - {5D8E6063-44C9-4A49-B1CA-8ED2C1CB3569} - C:\WINDOWS\mgxfebsq.dll (file missing)
    O21 - SSODL: CmdActProc - {6E78581F-1262-E907-14D8-081606BF4CB4} - C:\Program Files\wfjzqdd\CmdActProc.dll
    O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Windows Network Data Management System Service (BNDMSS) - Unknown owner - C:\WINDOWS\system32\bndmss.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Windows Server IP Verification Service (LSIVS) - Unknown owner - C:\WINDOWS\system32\lsivs.exe
    O23 - Service: Remote Procedure Manager(TPM) (RPCM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Speech\csvde.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    End of file - 10989 bytes
    Help would be very much appreciated.

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/752112

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice