Computer infected bigtime

Question

first of all let me just list my problems im having..... First I get slow performance from my computer. I know i have tons of spyware malware and adware ext... i get IE explorer popups when im not even running IE. Its not like im in the browser and i get normal pop ups... its like a constant shower of them when im doing other things such as running a game. Also whenever a pop up loads up my computer gets REALLY slow and choppy. I know this is a virus or trojan but i have tried everything to stop it. I have spybot sd and noadware. I also have mcafee which doesnt show any viruses. The spyware wont go away no matter how hard i try to make it. Also Ive noticed that my CPU is running at 100% when usually it is at around 10-15. I did a hijack this report and here it is. PLEASE HELP ME!!! ITS DRIVING ME CRAZYYYY!!! Logfile of HijackThis v1.99.0 Scan saved at 5:43:31 PM, on 10/21/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32
vsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\WINDOWS\jawa32.exe C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE C:\WINDOWS\clock.exe C:\WINDOWS\System32\ut1s2fc85dthd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32	ibs3.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\FaqupP4.exe C:\WINDOWS\System32\Qyak.exe C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\WINDOWS\system32	askmgr.exe C:\WINDOWS\system32\winupdt.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\MOZILL~1\firefox.exe C:\Documents and Settings\Nater\My Documents\New Folder\HijackThis.exe C:\Documents and Settings\Nater\My Documents\New Folder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\WKW7DZ~1.DLL O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O3 - Toolbar: Search - {3396DE92-A482-590A-2759-975CFDBAA5AF} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O3 - Toolbar: FunBar - {2CA511C5-C677-4e33-A018-EADF07E08299} - C:\PROGRA~1\FUNBAR~1.01\funbar.dll O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file) O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension	bextn.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe' O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [Dell AIO Printer A920] 'C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe' O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [pg943HX] C:\documents and settings\ariane\local settings	emp\pg943HX.exe O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Lxiv1Va.exe O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE O4 - HKLM\..\Run: [tlzyfjv] C:\WINDOWS\System32\pktefw.exe O4 - HKLM\..\Run: [clock] C:\WINDOWS\clock.exe O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\ut1s2fc85dthd.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe O4 - HKLM\..\Run: [oghogc] C:\WINDOWS\System32\oghogc.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\system32	ibs3.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe O4 - Global Startup: winlogin.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1063 (file missing) O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.com/bannerfarm/47041/WrapperOuter1154041206.EXE O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab O20 - AppInit_DLLs: fzmuihem6zklwhl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll O23 - Service: Installer Service - Unknown - C:\WINDOWS\System32\winst.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe (file missing) O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing) O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe

zbestwun2001 · Answer

Hi
Don't go crazy but you are right you have many visitors.
Before the log is dealt with please do these things first.
It will help a alot.

Go to this sight http://www.trendmicro.com/en/home/us/enterprise.htm and do an online scan and delete whatever it finds. Be sure to highlight the drives you want to have searched.

After that could you please go to http://www.majorgeeks.com/download506.html and download AdAwareSE and delete what it finds. Then while using AdAware, click on add-ons and get their plug-in for the VX2 variant, and run that and delete what it finds.
After that please go to http://www.majorgeeks.com/download2471.html and download SpyBot and run that and delete what it finds.

Now we are done with that. All these procedures will help the people that will deal with your HJT log.
Thanks
Steve

Message Edited by zbestwun2001 on 12-21-2004 03:03 PM

Midnight Star · Answer

clashrkers,

After doing an online scan, and checking with AdAware SE & Spybot...

Let's get started...

Go to Add/Remove programs and remove(uninstall)

Virtual Bouncer

SurfSideKick

ViewPoint

First, download KillBox and unzip it to your desktop, then:

1. select " Action | Delete on Reboot"

2. copy/paste the following file to the " Paste Full Path of File to Delete":

fzmuihem6zklwhl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

3. click on " Kill File"

You'll need to download uninst.exe to remove the 'peper' infection, then:

1. run uninst.exe ... (first pass).

2. reboot your computer.

3. run uninst.exe ... (final pass).

Note: You must have an active internet connection, each time this program is run, for it to properly work.

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvc32 /u SskBho.dll

regsvc32 /u ViewBar.dll

regsvc32 /u funbar.dll

regsvc32 /u ysb.dll

regsvc32 /u tbextn.dll

Reboot your computer into " Safe Mode".

Run HiJackThis and click " Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\WKW7DZ~1.DLL

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Search - {3396DE92-A482-590A-2759-975CFDBAA5AF} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: FunBar - {2CA511C5-C677-4e33-A018-EADF07E08299} - C:\PROGRA~1\FUNBAR~1.01\funbar.dll
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll

O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [pg943HX] C:\documents and settings\ariane\local settings\temp\pg943HX.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Lxiv1Va.exe
O4 - HKLM\..\Run: [tlzyfjv] C:\WINDOWS\System32\pktefw.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [oghogc] C:\WINDOWS\System32\oghogc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\system32\tibs3.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Global Startup: winlogin.exe

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.com/bannerfarm/47041/WrapperOuter1154041206.EXE
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx

O20 - AppInit_DLLs: fzmuihem6zklwhl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

O23 - Service: Installer Service - Unknown - C:\WINDOWS\System32\winst.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe (file missing)
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)

Now, with all windows closed except HiJackThis, click " Fix checked".

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\SurfSideKick 2

C:\PROGRA~1\FUNBAR~1.01

C:\PROGRA~1\YOURSI~1

files...

C:\WINDOWS\aqadcup.exe
C:\WINDOWS\jawa32.exe
C:\WINDOWS\System32\Lxiv1Va.exe
C:\WINDOWS\System32\pktefw.exe
C:\WINDOWS\System32\idctup20.exe
C:\WINDOWS\System32\winupdtl.exe
C:\WINDOWS\System32\oghogc.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINDOWS\system32\tibs3.exe
C:\WINDOWS\System32\winst.exe
C:\Program Files\IEMenuExtension\tbextn.dll

Reboot your computer normally.

Post back a new log.

Mike.

opmsatellite · Answer

Try Shutting off MSN Instant messenger, I had the Same Problem I shut off IM and I never had The trouble Again I hope it Works once you Shut it off Run ad aware Merry Christmas.

Virus & Spyware

Was this post helpful?