a massave heap of adware

[gwsmyda]

First, a little info about my system:

Have Internet explorer
Use Firefox

eTrust EZ Armor as a virus scanner
also using spybot, adaware, spyware doctor, and spyware blaster

My problem:

a few weeks ago i started getting tons of adware on my computer, so i ran AdAware... it removed about 1000 items, the other ones removed some too. i was so happy that i had cleaned up my computer, and turn it off.
The next morning, i turn it back on, and EVERY SINGLE program is back. i ran adaware, spybot, doctor, and all those other good programs again, and it gets rid of all of them, but they all come back when the computer is started.

i have used The Ultimate Troubleshooter to get the programs off of the startup list. they come right back on.

my friend said something about viral adware, so i ran the virus scanner and it found about 90 trojans, gets rid of all but 13, but the adware keeps coming back.

Here are some of the processes that are running: abasa5jrp, qcdwedd, ciodm844, EbatesMoeMoneyMaker1, abqfdddp

any help would be greatly appreciated

[bigz]

You more than likely need to boot into safemode to do your virus scans and adware/spyware!

Also how does one get some much spyware (use bad hacking sites / porn) is it from bad browsing habits or what...?

I have a brother that does stupid stuff like that and i always end up putting in a floppy that contains boot n Nuke .... (a linux-based disk wipe utility totally free and on sourceforge.net)

[rightcoast]

You should clean your unessesary temp files with ccleaner
http://www.ccleaner.com/

Then do the online trojan scans from trendmicro and panda, use IE to do them.
http://housecall.trendmicro.com/
http://www.pandasoftware.com/actives..._principal.htm


Then be sure all your spyware scans are fully up to date. Antivirus app too.
Turn off system restore.
Right click "my computer" on the desktop
choose properties>systemrestore
disable system restore

then reboot, go into safe mode by pressing f8 repeatedly on bootup.

scan with everything you have, in safe mode.

That is basically a condensed version of this guide:
http://forums.majorgeeks.com/showthread.php?t=35407

[gwsmyda]

ill do that right now (ive been in safe mode alot lately)

any ideas on why it keeps coming back?

[pam123]

It keeps coming back because really up to date adware/spyware now comes with reinstall routines that dig deep into windows registry.
So like the guys said, dump all temp files and turn off System Restore and make sure all your adware/spyware removal programs are fully updated.
Downloading and running HijackThis is the next step, see the sticky for instructions and the link to download the program.

[gwsmyda]

Logfile of HijackThis v1.99.1
Scan saved at 8:52:01 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\kmimvr.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Garry\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {F04D969C-035B-2DA5-7F2D-0AC2C85F4692} - C:\WINDOWS\system32\lblwlh.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [fscuch] c:\windows\system32\fscuch.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [x22ohiyx] C:\Program Files\x22ohiyx\x22ohiyx.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\system32\netsync.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitedcg32.exe
O4 - HKLM\..\Run: [7fdeece4b6df] C:\WINDOWS\system32\ciodm844.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [nqurc] C:\WINDOWS\system32\fbhwavrx\nqurc.exe
O4 - HKLM\..\Run: [tdgsrmd] C:\WINDOWS\system32\qbqu\tdgsrmd.exe
O4 - HKLM\..\Run: [acrb] C:\WINDOWS\system32\yfvwrb\acrb.exe
O4 - HKLM\..\Run: [oqajj] C:\WINDOWS\system32\apgmn\oqajj.exe
O4 - HKLM\..\Run: [xntjmslq] C:\WINDOWS\system32\ypqwmy\xntjmslq.exe
O4 - HKLM\..\Run: [koptn] C:\WINDOWS\system32\lmyorhe\koptn.exe
O4 - HKLM\..\Run: [lokyra] C:\WINDOWS\system32\gowgiqnt\lokyra.exe
O4 - HKLM\..\Run: [owdmaacl] C:\WINDOWS\system32\sdmncu\owdmaacl.exe
O4 - HKLM\..\Run: [lnply] C:\WINDOWS\system32\pfcx\lnply.exe
O4 - HKLM\..\Run: [sragdeec] C:\WINDOWS\system32\likcrj\sragdeec.exe
O4 - HKLM\..\Run: [hujyxy] C:\WINDOWS\system32\hssgpae\hujyxy.exe
O4 - HKLM\..\Run: [hsevket] C:\WINDOWS\system32\cqleja\hsevket.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\xmymdqw.exe
O4 - HKLM\..\Run: [skyhn] C:\DOCUME~1\Bethany\LOCALS~1\Temp\rtie.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [fydk] C:\WINDOWS\system32\mmer\fydk.exe
O4 - HKLM\..\Run: [itemkm] C:\WINDOWS\system32\bcnfj\itemkm.exe
O4 - HKLM\..\Run: [hysqs] C:\WINDOWS\system32\iijyq\hysqs.exe
O4 - HKLM\..\Run: [abqfdddp] C:\WINDOWS\system32\vvtf\abqfdddp.exe
O4 - HKLM\..\Run: [rksakov] C:\WINDOWS\system32\jdpwpc\rksakov.exe
O4 - HKLM\..\Run: [jtvoykqc] C:\WINDOWS\system32\vttivau\jtvoykqc.exe
O4 - HKLM\..\Run: [yurpfpwg] C:\WINDOWS\system32\cwbdtw\yurpfpwg.exe
O4 - HKLM\..\Run: [xviol] C:\WINDOWS\system32\knwppr\xviol.exe
O4 - HKLM\..\Run: [kplpnc] C:\WINDOWS\system32\mggagtyt\kplpnc.exe
O4 - HKLM\..\Run: [pbfu] C:\WINDOWS\system32\hnsr\pbfu.exe
O4 - HKLM\..\Run: [jgwtme] C:\WINDOWS\system32\yxpqqy\jgwtme.exe
O4 - HKLM\..\Run: [bfjdld] C:\WINDOWS\system32\btcd\bfjdld.exe
O4 - HKLM\..\Run: [aoetf] C:\WINDOWS\system32\qryohnil\aoetf.exe
O4 - HKLM\..\Run: [qhjvuae] C:\WINDOWS\system32\hcopjhw\qhjvuae.exe
O4 - HKLM\..\Run: [xbgsys] C:\WINDOWS\system32\aidmj\xbgsys.exe
O4 - HKLM\..\Run: [qiofsgy] C:\WINDOWS\system32\gduunb\qiofsgy.exe
O4 - HKLM\..\Run: [vdrg] C:\WINDOWS\system32\ntsbb\vdrg.exe
O4 - HKLM\..\Run: [xflknfhr] C:\WINDOWS\system32\okiev\xflknfhr.exe
O4 - HKLM\..\Run: [qynchwb] C:\WINDOWS\system32\pvvaps\qynchwb.exe
O4 - HKLM\..\Run: [vhnmk] C:\WINDOWS\system32\mekyuxnl\vhnmk.exe
O4 - HKLM\..\Run: [lursew] C:\WINDOWS\system32\kmubrb\lursew.exe
O4 - HKLM\..\Run: [hafx] C:\WINDOWS\system32\ucmj\hafx.exe
O4 - HKLM\..\Run: [gcynqni] C:\WINDOWS\system32\nvpa\gcynqni.exe
O4 - HKLM\..\Run: [aopc] C:\WINDOWS\system32\sxlvomcv\aopc.exe
O4 - HKLM\..\Run: [uhwpj] C:\WINDOWS\system32\khmrxj\uhwpj.exe
O4 - HKLM\..\Run: [uikxtw] C:\WINDOWS\system32\hbkdeg\uikxtw.exe
O4 - HKLM\..\Run: [aewy] C:\WINDOWS\system32\bxov\aewy.exe
O4 - HKLM\..\Run: [fwinl] C:\WINDOWS\system32\byvyhayj\fwinl.exe
O4 - HKLM\..\Run: [cdedb] C:\WINDOWS\system32\iikfqt\cdedb.exe
O4 - HKLM\..\Run: [xyrfrqwd] C:\WINDOWS\system32\gbndxvxc\xyrfrqwd.exe
O4 - HKLM\..\Run: [khlyal] C:\WINDOWS\system32\lkcmj\khlyal.exe
O4 - HKLM\..\Run: [orkr] C:\WINDOWS\system32\tiwivgj\orkr.exe
O4 - HKLM\..\Run: [eqjt] C:\WINDOWS\system32\yroprx\eqjt.exe
O4 - HKLM\..\Run: [asnrfqdq] C:\WINDOWS\system32\ycpihec\asnrfqdq.exe
O4 - HKLM\..\Run: [hlaj] C:\WINDOWS\system32\pgeavi\hlaj.exe
O4 - HKLM\..\Run: [qcdwedd] C:\WINDOWS\system32\deyhhj\qcdwedd.exe
O4 - HKLM\..\Run: [imnhd] C:\WINDOWS\system32\jivqftu\imnhd.exe
O4 - HKLM\..\Run: [abxacq] C:\WINDOWS\system32\rmeksd\abxacq.exe
O4 - HKLM\..\Run: [xrtufgbq] C:\WINDOWS\system32\tyyjrvbh\xrtufgbq.exe
O4 - HKLM\..\Run: [xjknwuw] C:\WINDOWS\system32\pdryffd\xjknwuw.exe
O4 - HKLM\..\Run: [ahuw] C:\WINDOWS\system32\owsr\ahuw.exe
O4 - HKLM\..\Run: [yrhlh] C:\WINDOWS\system32\abike\yrhlh.exe
O4 - HKLM\..\Run: [qyiaun] C:\WINDOWS\system32\mlmjmg\qyiaun.exe
O4 - HKLM\..\Run: [vflvr] C:\WINDOWS\system32\ydnetk\vflvr.exe
O4 - HKLM\..\Run: [cxlpn] C:\WINDOWS\system32\yudwqhch\cxlpn.exe
O4 - HKLM\..\Run: [tiwyksmb] C:\WINDOWS\system32\ssoxpdge\tiwyksmb.exe
O4 - HKLM\..\Run: [cwxtrhq] C:\WINDOWS\system32\jiueic\cwxtrhq.exe
O4 - HKLM\..\Run: [gmtkniwl] C:\WINDOWS\system32\mvsqje\gmtkniwl.exe
O4 - HKLM\..\Run: [sfvw] C:\WINDOWS\system32\fruno\sfvw.exe
O4 - HKLM\..\Run: [mxnmmer] C:\WINDOWS\system32\lpssvxyx\mxnmmer.exe
O4 - HKLM\..\Run: [kanj] C:\WINDOWS\system32\fmmjge\kanj.exe
O4 - HKLM\..\Run: [lcgyf] C:\WINDOWS\system32\bibkncw\lcgyf.exe
O4 - HKLM\..\Run: [oudq] C:\WINDOWS\system32\ivnnrou\oudq.exe
O4 - HKLM\..\Run: [uxme] C:\WINDOWS\system32\hqlana\uxme.exe
O4 - HKLM\..\Run: [C:\WINDOWS\mmiyoqkiyi.exe] C:\WINDOWS\mmiyoqkiyi.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [rsnO3qe] lbldmod.exe
O4 - HKLM\..\RunOnce: [HcTSC] C:\WINDOWS\TSC.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [Tfapvhgi] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [aB4ERkK5R] jkdadu.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101165995953
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0011.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0004.exe
O23 - Service: abxacqrmeksd - Unknown owner - C:\WINDOWS\system32\rmeksd\abxacq.exe
O23 - Service: acrbyfvwrb - Unknown owner - C:\WINDOWS\system32\yfvwrb\acrb.exe
O23 - Service: asnrfqdqycpihec - Unknown owner - C:\WINDOWS\system32\ycpihec\asnrfqdq.exe
O23 - Service: hsevketcqleja - Unknown owner - C:\WINDOWS\system32\cqleja\hsevket.exe
O23 - Service: imnhdjivqftu - Unknown owner - C:\WINDOWS\system32\jivqftu\imnhd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: itemkmbcnfj - Unknown owner - C:\WINDOWS\system32\bcnfj\itemkm.exe
O23 - Service: jgwtmeyxpqqy - Unknown owner - C:\WINDOWS\system32\yxpqqy\jgwtme.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: kplpncmggagtyt - Unknown owner - C:\WINDOWS\system32\mggagtyt\kplpnc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: qynchwbpvvaps - Unknown owner - C:\WINDOWS\system32\pvvaps\qynchwb.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: sragdeeclikcrj - Unknown owner - C:\WINDOWS\system32\likcrj\sragdeec.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: tdgsrmdqbqu - Unknown owner - C:\WINDOWS\system32\qbqu\tdgsrmd.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

[Lobos]

Ok looking over your log now
i'll have something in about 15 minutes

this may take a couple of tries just to let you know

Lobos

[Bud Light]

I ran into some wicked spyware a couple weeks back that kept coming back on me and multiplying fast. I have XP pro and simply did a system restore from the day before stuff got out of hand and it got rid of everything. I Know This only helps if you have a restore point where you know your spyfree but it is quick and easy.

[Lobos]

Hi gwsmyda

do this

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's
anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers
when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is
enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When
you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system
folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use
or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we
think is bad to keep).

===========================================


Download and install CCleaner
Do not use it yet.


Click here and download Adaware SE
update it Follow these directions to configure AdAware SE and update it but do not run a scan yet:[LIST]AdAware Tutorial

Download Spybot 1.3 from this site Spybot 1.3. Install the program, update the definitions file. Do not run it yet

Download LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!


================================================
Reboot into Safe Mode


Click Start>run
in the run box either type or copy and paste services.msc
go down and find thsi service abxacqrmeksd

double click on it
Stop the service and disable it

do the same with the rest of these

acrbyfvwrb
asnrfqdqycpihec
hsevketcqleja
imnhdjivqftu
itemkmbcnfj
jgwtmeyxpqqy
kplpncmgga
qynchwbpvvaps
sragdeeclikcrj
tdgsrmdqbqu
ZESOFT


===============


Go to Add/Remove programs and remove(uninstall) the following, if present:

Virtual Bouncer
Ebates_MoeMoneyMaker
Media Access
PaciSoft


The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\system32\kmimvr.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u Pynix.dll
regsvr32 /u lblwlh.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R3 - Default URLSearchHook is missing

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {F04D969C-035B-2DA5-7F2D-0AC2C85F4692} - C:\WINDOWS\system32\lblwlh.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [fscuch] c:\windows\system32\fscuch.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [x22ohiyx] C:\Program Files\x22ohiyx\x22ohiyx.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\system32\netsync.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitedcg32.exe
O4 - HKLM\..\Run: [7fdeece4b6df] C:\WINDOWS\system32\ciodm844.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [nqurc] C:\WINDOWS\system32\fbhwavrx\nqurc.exe
O4 - HKLM\..\Run: [tdgsrmd] C:\WINDOWS\system32\qbqu\tdgsrmd.exe
O4 - HKLM\..\Run: [acrb] C:\WINDOWS\system32\yfvwrb\acrb.exe
O4 - HKLM\..\Run: [oqajj] C:\WINDOWS\system32\apgmn\oqajj.exe
O4 - HKLM\..\Run: [xntjmslq] C:\WINDOWS\system32\ypqwmy\xntjmslq.exe
O4 - HKLM\..\Run: [koptn] C:\WINDOWS\system32\lmyorhe\koptn.exe
O4 - HKLM\..\Run: [lokyra] C:\WINDOWS\system32\gowgiqnt\lokyra.exe
O4 - HKLM\..\Run: [owdmaacl] C:\WINDOWS\system32\sdmncu\owdmaacl.exe
O4 - HKLM\..\Run: [lnply] C:\WINDOWS\system32\pfcx\lnply.exe
O4 - HKLM\..\Run: [sragdeec] C:\WINDOWS\system32\likcrj\sragdeec.exe
O4 - HKLM\..\Run: [hujyxy] C:\WINDOWS\system32\hssgpae\hujyxy.exe
O4 - HKLM\..\Run: [hsevket] C:\WINDOWS\system32\cqleja\hsevket.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\xmymdqw.exe
O4 - HKLM\..\Run: [skyhn] C:\DOCUME~1\Bethany\LOCALS~1\Temp\rtie.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [fydk] C:\WINDOWS\system32\mmer\fydk.exe
O4 - HKLM\..\Run: [itemkm] C:\WINDOWS\system32\bcnfj\itemkm.exe
O4 - HKLM\..\Run: [hysqs] C:\WINDOWS\system32\iijyq\hysqs.exe
O4 - HKLM\..\Run: [abqfdddp] C:\WINDOWS\system32\vvtf\abqfdddp.exe
O4 - HKLM\..\Run: [rksakov] C:\WINDOWS\system32\jdpwpc\rksakov.exe
O4 - HKLM\..\Run: [jtvoykqc] C:\WINDOWS\system32\vttivau\jtvoykqc.exe
O4 - HKLM\..\Run: [yurpfpwg] C:\WINDOWS\system32\cwbdtw\yurpfpwg.exe
O4 - HKLM\..\Run: [xviol] C:\WINDOWS\system32\knwppr\xviol.exe
O4 - HKLM\..\Run: [kplpnc] C:\WINDOWS\system32\mggagtyt\kplpnc.exe
O4 - HKLM\..\Run: [pbfu] C:\WINDOWS\system32\hnsr\pbfu.exe
O4 - HKLM\..\Run: [jgwtme] C:\WINDOWS\system32\yxpqqy\jgwtme.exe
O4 - HKLM\..\Run: [bfjdld] C:\WINDOWS\system32\btcd\bfjdld.exe
O4 - HKLM\..\Run: [aoetf] C:\WINDOWS\system32\qryohnil\aoetf.exe
O4 - HKLM\..\Run: [qhjvuae] C:\WINDOWS\system32\hcopjhw\qhjvuae.exe
O4 - HKLM\..\Run: [xbgsys] C:\WINDOWS\system32\aidmj\xbgsys.exe
O4 - HKLM\..\Run: [qiofsgy] C:\WINDOWS\system32\gduunb\qiofsgy.exe
O4 - HKLM\..\Run: [vdrg] C:\WINDOWS\system32\ntsbb\vdrg.exe
O4 - HKLM\..\Run: [xflknfhr] C:\WINDOWS\system32\okiev\xflknfhr.exe
O4 - HKLM\..\Run: [qynchwb] C:\WINDOWS\system32\pvvaps\qynchwb.exe
O4 - HKLM\..\Run: [vhnmk] C:\WINDOWS\system32\mekyuxnl\vhnmk.exe
O4 - HKLM\..\Run: [lursew] C:\WINDOWS\system32\kmubrb\lursew.exe
O4 - HKLM\..\Run: [hafx] C:\WINDOWS\system32\ucmj\hafx.exe
O4 - HKLM\..\Run: [gcynqni] C:\WINDOWS\system32\nvpa\gcynqni.exe
O4 - HKLM\..\Run: [aopc] C:\WINDOWS\system32\sxlvomcv\aopc.exe
O4 - HKLM\..\Run: [uhwpj] C:\WINDOWS\system32\khmrxj\uhwpj.exe
O4 - HKLM\..\Run: [uikxtw] C:\WINDOWS\system32\hbkdeg\uikxtw.exe
O4 - HKLM\..\Run: [aewy] C:\WINDOWS\system32\bxov\aewy.exe
O4 - HKLM\..\Run: [fwinl] C:\WINDOWS\system32\byvyhayj\fwinl.exe
O4 - HKLM\..\Run: [cdedb] C:\WINDOWS\system32\iikfqt\cdedb.exe
O4 - HKLM\..\Run: [xyrfrqwd] C:\WINDOWS\system32\gbndxvxc\xyrfrqwd.exe
O4 - HKLM\..\Run: [khlyal] C:\WINDOWS\system32\lkcmj\khlyal.exe
O4 - HKLM\..\Run: [orkr] C:\WINDOWS\system32\tiwivgj\orkr.exe
O4 - HKLM\..\Run: [eqjt] C:\WINDOWS\system32\yroprx\eqjt.exe
O4 - HKLM\..\Run: [asnrfqdq] C:\WINDOWS\system32\ycpihec\asnrfqdq.exe
O4 - HKLM\..\Run: [hlaj] C:\WINDOWS\system32\pgeavi\hlaj.exe
O4 - HKLM\..\Run: [qcdwedd] C:\WINDOWS\system32\deyhhj\qcdwedd.exe
O4 - HKLM\..\Run: [imnhd] C:\WINDOWS\system32\jivqftu\imnhd.exe
O4 - HKLM\..\Run: [abxacq] C:\WINDOWS\system32\rmeksd\abxacq.exe
O4 - HKLM\..\Run: [xrtufgbq] C:\WINDOWS\system32\tyyjrvbh\xrtufgbq.exe
O4 - HKLM\..\Run: [xjknwuw] C:\WINDOWS\system32\pdryffd\xjknwuw.exe
O4 - HKLM\..\Run: [ahuw] C:\WINDOWS\system32\owsr\ahuw.exe
O4 - HKLM\..\Run: [yrhlh] C:\WINDOWS\system32\abike\yrhlh.exe
O4 - HKLM\..\Run: [qyiaun] C:\WINDOWS\system32\mlmjmg\qyiaun.exe
O4 - HKLM\..\Run: [vflvr] C:\WINDOWS\system32\ydnetk\vflvr.exe
O4 - HKLM\..\Run: [cxlpn] C:\WINDOWS\system32\yudwqhch\cxlpn.exe
O4 - HKLM\..\Run: [tiwyksmb] C:\WINDOWS\system32\ssoxpdge\tiwyksmb.exe
O4 - HKLM\..\Run: [cwxtrhq] C:\WINDOWS\system32\jiueic\cwxtrhq.exe
O4 - HKLM\..\Run: [gmtkniwl] C:\WINDOWS\system32\mvsqje\gmtkniwl.exe
O4 - HKLM\..\Run: [sfvw] C:\WINDOWS\system32\fruno\sfvw.exe
O4 - HKLM\..\Run: [mxnmmer] C:\WINDOWS\system32\lpssvxyx\mxnmmer.exe
O4 - HKLM\..\Run: [kanj] C:\WINDOWS\system32\fmmjge\kanj.exe
O4 - HKLM\..\Run: [lcgyf] C:\WINDOWS\system32\bibkncw\lcgyf.exe
O4 - HKLM\..\Run: [oudq] C:\WINDOWS\system32\ivnnrou\oudq.exe
O4 - HKLM\..\Run: [uxme] C:\WINDOWS\system32\hqlana\uxme.exe
O4 - HKLM\..\Run: [C:\WINDOWS\mmiyoqkiyi.exe] C:\WINDOWS\mmiyoqkiyi.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [rsnO3qe] lbldmod.exe
O4 - HKLM\..\RunOnce: [HcTSC] C:\WINDOWS\TSC.EXE
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [Tfapvhgi] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [aB4ERkK5R] jkdadu.exe
O4 - Global Startup: Event Reminder.lnk = ?

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0011.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0004.exe

O23 - Service: abxacqrmeksd - Unknown owner - C:\WINDOWS\system32\rmeksd\abxacq.exe
O23 - Service: acrbyfvwrb - Unknown owner - C:\WINDOWS\system32\yfvwrb\acrb.exe
O23 - Service: asnrfqdqycpihec - Unknown owner - C:\WINDOWS\system32\ycpihec\asnrfqdq.exe
O23 - Service: hsevketcqleja - Unknown owner - C:\WINDOWS\system32\cqleja\hsevket.exe
O23 - Service: imnhdjivqftu - Unknown owner - C:\WINDOWS\system32\jivqftu\imnhd.exe
O23 - Service: itemkmbcnfj - Unknown owner - C:\WINDOWS\system32\bcnfj\itemkm.exe
O23 - Service: jgwtmeyxpqqy - Unknown owner - C:\WINDOWS\system32\yxpqqy\jgwtme.exe
O23 - Service: kplpncmggagtyt - Unknown owner - C:\WINDOWS\system32\mggagtyt\kplpnc.exe
O23 - Service: qynchwbpvvaps - Unknown owner - C:\WINDOWS\system32\pvvaps\qynchwb.exe
O23 - Service: sragdeeclikcrj - Unknown owner - C:\WINDOWS\system32\likcrj\sragdeec.exe
O23 - Service: tdgsrmdqbqu - Unknown owner - C:\WINDOWS\system32\qbqu\tdgsrmd.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============



Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\PROGRA~1\Toolbar
C:\Program Files\x22ohiyx
C:\Program Files\Bpt
C:\PROGRA~1\VBouncer
C:\Program Files\Media Access
C:\WINDOWS\system32\fbhwavrx
C:\WINDOWS\system32\qbqu
C:\WINDOWS\system32\yfvwrb
C:\WINDOWS\system32\apgmn
C:\WINDOWS\system32\ypqwmy
C:\WINDOWS\system32\lmyorhe
C:\WINDOWS\system32\gowgiqnt
C:\WINDOWS\system32\sdmncu
C:\WINDOWS\system32\pfcx
C:\WINDOWS\system32\likcrj
C:\WINDOWS\system32\hssgpae
C:\WINDOWS\system32\cqleja
C:\WINDOWS\system32\picsvr
C:\WINDOWS\system32\mmer
C:\WINDOWS\system32\bcnfj
C:\WINDOWS\system32\iijyq
C:\WINDOWS\system32\vvtf
C:\WINDOWS\system32\jdpwpc
C:\WINDOWS\system32\vttivau
C:\WINDOWS\system32\cwbdtw
C:\WINDOWS\system32\knwppr
C:\WINDOWS\system32\mggagtyt
C:\WINDOWS\system32\hnsr
C:\WINDOWS\system32\yxpqqy
C:\WINDOWS\system32\btcd
C:\WINDOWS\system32\qryohnil
C:\WINDOWS\system32\hcopjhw
C:\WINDOWS\system32\aidmj
C:\WINDOWS\system32\gduunb
C:\WINDOWS\system32\ntsbb
C:\WINDOWS\system32\okiev
C:\WINDOWS\system32\pvvaps
C:\WINDOWS\system32\mekyuxnl
C:\WINDOWS\system32\kmubrb
C:\WINDOWS\system32\ucmj
C:\WINDOWS\system32\nvpa
C:\WINDOWS\system32\sxlvomcv
C:\WINDOWS\system32\khmrxj
C:\WINDOWS\system32\hbkdeg
C:\WINDOWS\system32\bxov
C:\WINDOWS\system32\byvyhayj
C:\WINDOWS\system32\iikfqt
C:\WINDOWS\system32\gbndxvxc
C:\WINDOWS\system32\lkcmj
C:\WINDOWS\system32\tiwivgj
C:\WINDOWS\system32\yroprx
C:\WINDOWS\system32\ycpihec
C:\WINDOWS\system32\pgeavi
C:\WINDOWS\system32\deyhhj
C:\WINDOWS\system32\jivqftu
C:\WINDOWS\system32\rmeksd
C:\WINDOWS\system32\tyyjrvbh
C:\WINDOWS\system32\pdryffd
C:\WINDOWS\system32\owsr
C:\WINDOWS\system32\abike
C:\WINDOWS\system32\mlmjmg
C:\WINDOWS\system32\ydnetk
C:\WINDOWS\system32\yudwqhch
C:\WINDOWS\system32\ssoxpdge
C:\WINDOWS\system32\jiueic
C:\WINDOWS\system32\mvsqje
C:\WINDOWS\system32\fruno
C:\WINDOWS\system32\lpssvxyx
C:\WINDOWS\system32\fmmjge
C:\WINDOWS\system32\bibkncw
C:\WINDOWS\system32\ivnnrou
C:\WINDOWS\system32\hqlana
C:\WINDOWS\system32\nsvsvc

files...

C:\WINDOWS\system32\kmimvr.exe
C:\WINDOWS\Pynix.dll
C:\WINDOWS\system32\lblwlh.dll
C:\WINDOWS\System32\NvCpl.dll
c:\windows\system32\fscuch.exe
C:\WINDOWS\system32\winupdt.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\system32\netsync.exe
C:\WINDOWS\system32\msmc.exe
C:\windows\system32\elitedcg32.exe
C:\WINDOWS\system32\ciodm844.exe
C:\WINDOWS\system32\pacis.exe
C:\WINDOWS\system32\xmymdqw.exe
C:\DOCUME~1\Bethany\LOCALS~1\Temp\rtie.exe
C:\WINDOWS\mmiyoqkiyi.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\WINDOWS\IEXPLOR.EXE
C:\WINDOWS\TSC.EXE

Search for...

AUNPS2.DLL
E6F1873B.DLL
rundll32.exe
lbldmod.exe
jkdadu.exe

...using "Start | Search...".




run LQfix.bat
run crapcleaner

reboot to normal mode

run adaware clean all it finds
run spybot clean all it finds


===============

Post back a new log, and let me know how everything goes.


Lobos.

[rightcoast]

Lobos can help with your log, he is great with them.

But, honest question...did you even do the online scans and scan in safe mode with updated scanners?
75% of those O4 entries are viruses, along with most of the service entries.

[pam123]

Quote:

Originally Posted by rightcoast Lobos can help with your log, he is great with them. But, honest question...did you even do the online scans and scan in safe mode with updated scanners? 75% of those O4 entries are viruses, along with most of the service entries.

I'm wondering how up to date he keeps his AV and spyware removal programs.

[thefultonhow]

If I were him, I would reformat. That's a heavy infestation.

[bigz]

I know exactly which trojan viruses u have... U need to get trendmicros software!!! online scans won't cut it for those infestations ... u have the following likely viruses based on trend micros database... TROJ_DLOADER.DH & TROJ_DLOADER.DH --- here are the instructions from Trend micro on what to do to remove manually...
1/2

Trend Micro

TROJ_DLOADER.DH

Overview
Malware type: Trojan
Aliases: Downloader.a, Win32.SillyDl.GN
In the wild: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP

Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: Low

Description:

A Trojan is a type of malware that poses as legitimate software. When executed by unsuspecting users, it performs unexpected or unauthorized, often malicious actions.

This Trojan may arrive in a computer as part of another malware’s installation package. It is dropped by TROJ_DLOADER.DG

It checks for Internet connection on the affected system. If Internet connection is available, it attempts to download other malware or adware.


Description created: Mar 11, 2005

Solution
Minimum scan engine version needed: 6.810
Pattern file needed: 2.485.01
Pattern release date: Mar 9, 2005

Solution:


Removing Related Malware

To remove related malware, please refer to the following Web page:

* TROJ_DLOADER.DG

Identifying the Malware Program

To remove this malware, first identify the malware program.

1. Scan your system with your Trend Micro antivirus product.
2. NOTE all files detected as TROJ_DLOADERL.DH.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro's online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

1. Open Windows Task Manager.
• On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
• On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file(s) detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
3. Windows>CurrentVersion>Run In the right panel, locate and delete the entry:

= “%Malware path and filename%”
4. (Note: %Malware path & file name% is the complete path of the malware, including the root directory, and the malware's detected file name.) Close Registry Editor.

NOTE:If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as TROJ_DLOADERL.DH. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Technical Details
File type: PE
Memory resident: Yes
Size of malware: 34,816 Bytes
Initial samples received on: Mar 9, 2005
Related to: TROJ_DLOADER.DG

Details:

A Trojan is a type of malware that poses as legitimate software. When executed by unsuspecting users, it performs unexpected or unauthorized, often malicious actions.

This Trojan may arrive in a computer as part of another malware’s installation package. It is dropped by TROJ_DLOADER.DG

It checks for Internet connection on the affected system. If Internet connection is available, it attempts to download other malware or adware.

Upon execution, it drops the file .INI, in the current directory. This .INI file is used to log the Trojan’s activities.

It also attempts to connect to the following sites:

* http://.farmmext.com//a/Aid.sen?StubName=1farmmext&Cookie=cntry%3DPH%26fstcidt%3D20050315%26cicnt%3D1%26&StubInstID={317425FF-1047-4335-A94B-A6635B986B07}&ErrorCode=1002&Build=0.1.1.3
* http://.farmmext.com/a/Aid.sen?StubName=1farmmext&ErrorCode=1001&Build=0.1.1.3

It creates the following registry entry to ensure it automatically executes during every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
% = “%Malware path and filename%”

(Note: %Malware path & file name% is the complete path of the malware, including the root directory, and the malware's detected file name.)



Analysis By: Elda Viray Dimakiling


Copyright 1989-2004 Trend Micro, Inc. All rights reserved. Legal Notice|Privacy Policy

2/2


Trend Micro

TROJ_DLOADER.DG

Overview
Malware type: Trojan
Aliases: Troj/Dloader-KM, Win32.SillyDl.HB
In the wild: No
Destructive: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No

Overall risk rating: Low
Reported infections: Low
Damage potential: Low
Distribution potential: Low

Description:

Upon execution, this Trojan drops a randomly-named copy of itself in the Windows system folder.

It executes either PACKAGER.EXE or CALC.EXE, which acts as its process watcher. The process watcher disables affected users from terminating this Trojan’s process.

It then attempts to download the following malicious files from the Web site, http://.callinghome.biz/download/cabs/THNALL2R/thnall2r.exe:

* dlmax.dll - detected by Trend Micro as ADW_DLMAX.A
* farmmext.exe - detected by Trend Micro as TROJ_DLOADER.DH
* thnall2r.exe - detected by Trend Micro as SPYW_GETSYS.A


Description created: Mar 10, 2005

Solution
Minimum scan engine version needed: 6.810
Pattern file needed: 2.485.01
Pattern release date: Mar 10, 2005

Solution:


Removing Related Malware

To remove other malware installed by TROJ_DLOADER.DG, please refer to the following Web pages:

* ADW_DLMAX.A
* TROJ_DLOADER.DH
* SPYW_GETSYS.A

Restarting in Safe Mode

» On Windows 98 and ME

1. Restart your computer.
2. Press the CTRL key until the Windows 98 startup menu appears.
3. Choose the Safe Mode option then press Enter.

» On Windows NT (VGA mode)

1. Click Start>Settings>Control Panel.
2. Double-click the System icon.
3. Click the Startup/Shutdown tab.
4. Set the Show List field to 10 seconds and click OK to save this change.
5. Shut down and restart your computer.
6. Select VGA mode from the startup menu.

» On Windows 2000

1. Restart your computer.
2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

» On Windows XP

1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Identifying the Malware Program

To remove this malware, first identify the malware program.

1. Scan your system with your Trend Micro antivirus product.
2. NOTE all files detected as TROJ_DLOADER.DG.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro’s online virus scanner.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.

Restoring Other Malware Entries

1. Still in the Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software
2. Still in the left panel, locate and delete the following key:
Vendor
3. Close Registry Editor.

Deleting Malware File

1. Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
2. In the Named input box, type:
dlmax.dll
3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
4. Once located, select the file then press Delete.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as TROJ_DLOADER.DG. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Technical Details
File type: PE
Memory resident: No
Size of malware: Varies
Initial samples received on: Mar 9, 2005
Related to: TROJ_DLOADER.DH, ADW_DLMAX.A, SPYW_GETSYS.A

Details:

Upon execution, this Trojan drops a randomly-named copyof itself in the Windows system folder.

It executes either PACKAGER.EXE or CALC.EXE, which acts as its process watcher. The process watcher disables affected users from terminating this Trojan’s process.

It then attempts to download the following malicious files from the Web site, http://.callinghome.biz/download/cabs/THNALL2R/thnall2r.exe:

* dlmax.dll - detected by Trend Micro as ADW_DLMAX.A
* farmmext.exe - detected by Trend Micro as TROJ_DLOADER.DH
* thnall2r.exe - detected by Trend Micro as SPYW_GETSYS.A

It creates the following autostart entry to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
= "%System%\.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

This Trojan also creates the following registry key as part of its installation:

HKEY_LOCAL_MACHINE\Software\Vendor

This Trojan is written and compiled in Visual C++.


Analysis By: Erin Kalingking Sta. Catalina
Updated By: Elda Viray Dimakiling

Revision History:
First pattern file version: 2.485.01
First pattern file release date: Mar 10, 2005

Copyright 1989-2004 Trend Micro, Inc. All rights reserved. Legal Notice|Privacy Policy

[rightcoast]

I agree with thefultonhow. You have to weigh your options here, especially if you used an updated scanner in safe mode already. You can back up what you need and reinstall in a couple of hours. It might take days to clean this, even then, no guarantees you got it all.

[Lobos]

This infestation may look bad but it is not that hard to get rid of
I see this particular infestation all of the time . If he does exactly what i have written out . this shoud only take two swipes three at the most.

But of course it could take three days if he doesn't answer
to me reformat is never an option.


but of course it his choice.

Lobos

[rightcoast]

I figure this must be relatively new right Lobos? Since I'm moving to Florida I shut down shop and haven't taken on new jobs in just over a month.

Is it possible to run run ccleaner, the online scans and the safe mode scans like I wrote up in post 3, and still get a hijackthis log like that? That looks pretty bad.

I'm not entirely sure the scanning was done before the log was posted, if it was (and at this point even if it wasn't) do what Lobos said exactly, after the first pass, it will at least be managable for the second and third tries.

[gwsmyda]

hey guys, im back
ill be looking over what lobos and bigz have posted and get back shortly

thanks for the help

EDIT:
pam and rightcoast, i had norton for a while, but the subscription ran out... so i found an etrust antivirus cd that windows sent (about a year ago) i also did the online scans, trend micro found 10 but they were 'non-cleanable'

[gwsmyda]

lobos, i followed your instructions as closely as possible
here's the new scan

Logfile of HijackThis v1.99.1
Scan saved at 11:34:07 PM, on 3/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\kmimvr.exe
C:\WINDOWS\system\qeqiaqaagq.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\IEXPLOR.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50221
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101165995953
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

_____________________________________________

EDIT: Im gonna get some sleep, ill be back in the morning
again, thanks for everyone's help

[Lobos]

Ok looking much better now just a few more

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's
anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers
when you are following the procedures below.

===============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"


===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

qeqiaqaagq.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============


Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\system32\kmimvr.exe
C:\WINDOWS\system\qeqiaqaagq.exe
C:\WINDOWS\IEXPLOR.EXE

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50221
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Download KillBox, unzip it to your desktop, then run it. Now:

1. select "Action | Delete on reboot".
2. copy/paste the following file name(s), one at a time, in the "Paste Path of File to Delete" field:

C:\WINDOWS\system32\kmimvr.exe
C:\WINDOWS\system\qeqiaqaagq.exe
C:\WINDOWS\IEXPLOR.EXE

3. click "Kill File".
4. when prompted to "Reboot Now" select "No".
5 click yes when the last entry is entered

reboot

===============



Post back a new log, and let me know how everything goes.

-

Lobos.

[carlmccut]

Lobos,

That is incredible!!!!!!!!!!!!!!!!!!!!!!. I have never had that bad of an infection and hope to never have one. I know who to call !!!! Will keep this thread as a reference for future use.


Great work!!!!!!!!!!!!!!!!!!!!!

[pam123]

Quote:

Originally Posted by carlmccut Lobos, That is incredible!!!!!!!!!!!!!!!!!!!!!!. I have never had that bad of an infection and hope to never have one. I know who to call !!!! Will keep this thread as a reference for future use. Great work!!!!!!!!!!!!!!!!!!!!!

Same for me.
Brilliant job!

[gwsmyda]

heres the new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:03 AM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iprp.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101165995953
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

[rightcoast]

Hi gwsmyda,

If you delete these two, then update your scanners and scan once more in safe mode you should be ok. Don't turn system restore back on just yet.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
(the virtualapple will reinstall when you go back if it's legitimate and you use it for emulation)
If you don't have a lexmark printer, or your printer doesn't have a network card, delete this too:
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

If you dont use messenger you can also check these:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Great work Lobos!
Good luck gwsmyda, post another HJT log after doing your scanning

[Lobos]

Ok

I have a feeling i know what these are just want to make sure if you can upload them to the site below

First of all, could you go to the next site:
http://virusscan.jotti.org/
On top you'll find: File to upload and scan,
Browse to the next file and let it scan.
C:\WINDOWS\system32\kmimvr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iprp.exe

Give me the results of what was found on it in your next reply. Please also tell me, when flagged as malware by the different scanners, what kind of malware it is.


download this: qoologic_systemsearch.zip
Unzip the contents of qoologic_systemsearch.zip to a convenient location
Now open the qoologic_systemsearch-folder and double-click on qoologicsystem.bat.
A command prompt will open and it will search your computer for malicious files.
This will take a while...
Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

so i want the results of the first scan and the qoologic scan

this should be the last of the files that need to be cleaned

Lobos

[gwsmyda]

File: kmimvr.exe

Status:
INFECTED/MALWARE

AntiVir_______________No viruses found
Avast________________Win32:Qoologic-B
AVG Antivirus_________No viruses found
BitDefender __________No viruses found
ClamAV______________No viruses found
Dr.Web______________No viruses found
F-Prot Antivirus_______No viruses found
Fortinet______________No viruses found
Kaspersky Anti-Virus___Trojan-Downloader.Win32.Qoologic.i
mks_vir______________Trojan.Downloader.Qoologic.I
NOD32_______________No viruses found
Norman Virus Control____No viruses found


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iprp.exe came up with the same results

_______________________________________________________
------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Dell AIO Printer A940"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"VetTray"="C:\\PROGRA~1\\CA\\ETRUST~1\\ETRUST~1\\VetTray.exe"
"DeadAIM"="rundll32.exe \"C:\\Program Files\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"KavSvc"="C:\\WINDOWS\\system32\\kmimvr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




[Lobos]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's
anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers
when you are following the procedures below.

still with hidden files and folders showing


===============


Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

iprp.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.


===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iprp.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

run killbox

1. select "Action | Delete on reboot".
2. copy/paste the following file name(s), one at a time, in the "Paste Path of File to Delete" field:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iprp.exe
C:\WINDOWS\system32\kmim'r.exe

3. click "Kill File".
4. when prompted to "Reboot Now" select "No".
select yes on the last entry

===============
reboot

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iprp.exe
C:\WINDOWS\system32\kmimvr.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Post back a new log, and let me know how everything goes.

-

Lobos.

[gwsmyda]

Logfile of HijackThis v1.99.1
Scan saved at 3:17:25 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\kmimvr.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101165995953
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

________________________________________________________
i couldnt find:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iprp.exe
or
C:\WINDOWS\system32\kmimvr.exe
to delete them
(but i did find and delete a kmimvr.exe prefetch)

[rightcoast]

did you enable view hidden files? In explorer or my computer

Click Tools>Folder Options>view

Check "show hidden files" and be sure "hide extensions of known file types" and "hide protected OS files" are unchecked.

Click apply then apply to all folders.

You should be able to find it now.

[Lobos]

Ok this is being stubborn the last file


Download Registrar Lite (http://www.resplendence.com/download/reglite.exe) and install it.

go into safe mode

start Registrar Lite

Copy and paste the follow text into the address bar and hit Go:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the pane on the right find this entry and delete it make sure just to deklete that one

"KavSvc"="C:\\WINDOWS\\system32\\kmimvr.exe"

Right click on the above and select delete. If you get a confirmation question, respond OK then close out the program.


run hijack this

Run HiJackThis and click "Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmimvr.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

run killbox

1. select "Action | Delete on reboot".
2. copy/paste the following file name(s), one at a time, in the "Paste Path of File to Delete" field:

C:\WINDOWS\system32\kmimvr.exe

3. click "Kill File".
4. when prompted to "Reboot Now" select "yes".

post a new log let me know how it went and how your computer is running

Lobos

[gwsmyda]

doing that right now

when you say "kmim'r", dont you mean "kmimvr"?