Help - Search - Members - Calendar
Full Version: background, homepage hijack, yellow triangle popup
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
eyebtired
Apr 17 2005, 07:00 PM
I have a problem that appears similar to others that have posted here. My background was hijacked by a black screen with a warning about spyware on my computer, my homepage was changed, favorites added, a blue IE screen pops up periodically warning me of spyware, and a little yellow triangle in the lower right taskbar does the same. I've run updated McAfee virusscan in normal, safe and dos modes, and CWShredder and McAfee antispyware in normal and safe modes, but nothing is detected. I do have some weird looking processes running, and they aren't found on processlibrary dot com. I'm turning to the experts to see if they can help me. My hijackthis log is below. Thanks for any help you can provide.

Logfile of HijackThis v1.99.1
Scan saved at 11:28:29 AM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\SYSTEM32\init32m.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\wisvccz.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ykohgrc] c:\windows\bowqfbq.exe
O4 - HKCU\..\Run: [pypiqdr] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [avxcqim] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [ritqtiq] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [djslisd] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [mvgdfvn] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [rtlnywv] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [vyotine] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [yuvbrav] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [ugrbeak] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [xtkedbc] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [bqahxvb] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [ouutquu] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [ccrciay] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [aobmuhk] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [dhyawoa] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [johklpi] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [vcnfptr] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [vjhkiwa] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [nacyryf] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [beheiji] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [bireikw] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [vksqaij] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [inixmid] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [pxncjce] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [hrcobmb] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [vxbyjhl] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [sirmkxo] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [nttjvdx] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [kttlvow] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [hppldvs] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [bjolbsx] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [mpvcyci] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [wehmmct] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [fubheic] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [hubelbw] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [mckrtby] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [htjydug] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [dxiduqe] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [mvjabfd] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [maeyiub] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [lmsekqw] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [idowntq] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [bmnynee] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [covepmd] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [ojxcqqo] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [fqswkgu] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [nekhsvj] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [gvodaxj] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [qcjtkqs] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [slqdyon] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [efwpbnf] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [ydybibt] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [jktajpm] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [kkfwtor] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [rcdvhkn] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [dngoelh] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [rlchxbw] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [txpvevb] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [xbuehao] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [uhopsry] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [nhwvuoa] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [qrjxdhw] c:\windows\jnucqii.exe
O4 - HKCU\..\Run: [pevxxyu] c:\windows\jnucqii.exe
O4 - HKCU\..\Run: [qfmnqni] c:\windows\jnucqii.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09811597cbe968...ip/RdxIE601.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097197772359
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
LoPhatPhuud
Apr 17 2005, 08:47 PM
First:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

F2 - REG:system.ini: Shell=Explorer.exe init32m.exe

O4 - HKLM\..\Run: [wupdate] C:\WINDOWS\System32\wisvccz.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ykohgrc] c:\windows\bowqfbq.exe
O4 - HKCU\..\Run: [pypiqdr] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [avxcqim] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [ritqtiq] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [djslisd] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [mvgdfvn] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [rtlnywv] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [vyotine] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [yuvbrav] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [ugrbeak] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [xtkedbc] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [bqahxvb] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [ouutquu] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [ccrciay] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [aobmuhk] c:\windows\vagfqhl.exe
O4 - HKCU\..\Run: [dhyawoa] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [johklpi] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [vcnfptr] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [vjhkiwa] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [nacyryf] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [beheiji] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [bireikw] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [vksqaij] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [inixmid] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [pxncjce] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [hrcobmb] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [vxbyjhl] c:\windows\pfsvbha.exe
O4 - HKCU\..\Run: [sirmkxo] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [nttjvdx] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [kttlvow] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [hppldvs] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [bjolbsx] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [mpvcyci] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [wehmmct] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [fubheic] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [hubelbw] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [mckrtby] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [htjydug] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [dxiduqe] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [mvjabfd] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [maeyiub] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [lmsekqw] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [idowntq] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [bmnynee] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [covepmd] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [ojxcqqo] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [fqswkgu] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [nekhsvj] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [gvodaxj] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [qcjtkqs] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [slqdyon] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [efwpbnf] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [ydybibt] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [jktajpm] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [kkfwtor] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [rcdvhkn] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [dngoelh] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [rlchxbw] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [txpvevb] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [xbuehao] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [uhopsry] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [nhwvuoa] c:\windows\uaesskl.exe
O4 - HKCU\..\Run: [qrjxdhw] c:\windows\jnucqii.exe
O4 - HKCU\..\Run: [pevxxyu] c:\windows\jnucqii.exe
O4 - HKCU\..\Run: [qfmnqni] c:\windows\jnucqii.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09811597cbe968...ip/RdxIE601.cab

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\SYSTEM32\init32m.exe
C:\WINDOWS\System32\wisvccz.exe
C:\WINDOWS\System32\spoolsrv32.exe
c:\windows\bowqfbq.exe
c:\windows\vagfqhl.exe
c:\windows\pfsvbha.exe
c:\windows\uaesskl.exe
c:\windows\jnucqii.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.


Second:
this should fix the desktop

This fix is only for XP & Windows 2000

Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just doubleclick the cleandesktop.vbs script again you sometimes get that message when a script blocker blocks the script

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs
Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5

You will need to do this step for every user account


Third:
Please zip and email to following file(s) to me:
c:\windows\system32\flsmngr.dll

Email to: submitATlophatphuud.com (replace AT with @)

Please be sure to include a link to this thread for my reference.
eyebtired
Apr 17 2005, 10:50 PM
lophat,
I worked through your instructions, and everything appears to be okay. The only problems were that the "C:\WINDOWS\SYSTEM32\init32m.exe" couldn't be deleted in safe mode. I didn't try it in normal. Also, after running the Cleandesktop, I still had the black webpage for my background. I deleted it again out of the "customize; desktop; web tab" and it seems to be okay.
I guess my biggest question at this point is how to keep it from returning since none of the antispyware or virus protections seem to work?
Thanks again for all of your help, and please let me know if there is anything else that I should do.
Take care.

Logfile of HijackThis v1.99.1
Scan saved at 3:02:46 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097197772359
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
LoPhatPhuud
Apr 17 2005, 11:12 PM
Thanks for the file. We need to remove it since its connected with CoolWebSearch..

First:
Download WinSockFix from here:http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Download LSPfix here: »www.cexx.org/lspfix.htm

Launch the Launch LSPFix, and click the "I know what I'm doing" checkbox.
Check all instances of flsmngr.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish

Reboot

Check your internet connection and verify that it is working. In rare instances LSPFix may break your connection. If this happens, run WinSockFix to repair it.



That will leave you clean...


At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. This includes SP1 and SP2 if you use Windows XP. The first defense against infection is a properly patched Operating System.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
Press 'default level', then OK
Now press "Custom Level."

In the ActiveX controls and plug-ins section set these options:
'Download singed ActiveX controls' - Prompt
'Download unsigned ActiveX controls' - Disable
'Initialize and script ActiveX controls not maked as safe'- Disable
All other options accept the default

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
c. BHODemon: http://www.definitivesolutions.com/bhodemon.htm

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing one of the following:
a. Microsoft AntiSpyware: http://www.microsoft.com/athome/security/s...re/default.mspx
NOTE: MS AntiSpyware only runs on Windows 2000, XP, and 2003.
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
c. AdAware: http://www.lavasoft.de/

Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend and use Micosoft AntiSpyware.

If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9.

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Clean Temporary Files and Folders
Download and install the disk cleanup utility called Cleanup! from here:
http://cleanup.stevengould.org/
http://www.hijackthislogs.com/dl/CleanUp312.exe

Cleanup! will get rid of any malware which may be hiding in your temp folders (a common hiding place). You may also regain a massive amount of disk space.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/forums/tutorial93.html

Run the disk cleanup utility called Cleanup! that you have already downloaded and installed
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Then reboot into normal mode to let it clean out the remaining files.


8. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

9. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

10. Alternate Browser
Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.
eyebtired
Apr 18 2005, 12:57 AM
It looks like everything is back in order. Thanks again for all of your help. You provide a great service. Take care.
LoPhatPhuud
Apr 18 2005, 01:46 AM
We are glad we were able to be of assistance.

NOTE: This thread is now closed. Should you need it reopened, please PM an administrator or moderator.

Everyone else having a similar issue, please launch a new topic for yourselves.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.