opups/slow internet

Question

Logfile of HijackThis v1.99.1
Scan saved at 11:01:37 AM, on 6/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ynbqevdx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\gkugvkdA.exe
C:\WINDOWS\cfg32.exe
C:\windows\system32\msdsregk.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\twintndt.exe
C:\WINDOWS\cfg32a.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [gkugvkdA] C:\WINDOWS\gkugvkdA.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [{C4-42-25-55-ZN}] C:\windows\system32\msdsregk.exe SKY003
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\hjwjgbec.dll",forkonce
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\twintndt.exe SKY003
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twintndt.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: PD - {FE13CFB3-5D1B-4825-8186-B4C46A32B6B9} - C:\Program Files\Pop up Blocker\pd.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182926338125
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: DomainService - - C:\WINDOWS\System32\ynbqevdx.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

bamajim · Answer

CrayolaMarkers06

1. I need you to help us out with some research

Please go HERE

Put Your Name, and Dell HJT forum

and In the file to submit box, click Browse.Using Windows Explorer

(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)

Locate the file

C:\WINDOWS\System32\hjwjgbec.dll

In the comments tell them that I asked you to upload the file
Then Select Send File.

2. Copy and paste the following into NotePad (Not Wordpad)

sc stop DomainService
sc delete DomainService

Click File ->> Save as ->>type in cmd.bat

Under "Save as type" Select " all files" ->>Save it to your Desktop
Close Notepad
The cmd.bat file should now appear on your Desktop (if it saved properly it should appear as a blue box with a gear in the middle of it)
Double Click that file (It will appear that nothing has happened, but that's o.k.)

3. Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

bamajim Graduate of MRU

CastleCops Instructor

Message Edited by bamajim on 06-27-2007 08:22 PM

CrayolaMarkers0 · Answer

I uploaded the file you told me to on the other website   here is the VundoFix log: VundoFix V6.5.1 Checking Java version... Sun Java not detected Scan started at 7:20:09 PM 6/27/2007 Listing files found while scanning.... C:\WINDOWS\System32\gebyw.dll C:\windows\system32\vhljegiy.exe C:\WINDOWS\System32\wybeg.bak1 C:\WINDOWS\System32\wybeg.bak2 C:\WINDOWS\System32\wybeg.ini C:\WINDOWS\System32\wybeg.ini2 C:\WINDOWS\System32\wybeg.tmp Beginning removal...  Attempting to delete C:\WINDOWS\System32\gebyw.dll C:\WINDOWS\System32\gebyw.dll Could not be deleted.  Attempting to delete C:\windows\system32\vhljegiy.exe C:\windows\system32\vhljegiy.exe Has been deleted!  Attempting to delete C:\WINDOWS\System32\wybeg.bak1 C:\WINDOWS\System32\wybeg.bak1 Has been deleted!  Attempting to delete C:\WINDOWS\System32\wybeg.bak2 C:\WINDOWS\System32\wybeg.bak2 Has been deleted!  Attempting to delete C:\WINDOWS\System32\wybeg.ini C:\WINDOWS\System32\wybeg.ini Has been deleted!  Attempting to delete C:\WINDOWS\System32\wybeg.ini2 C:\WINDOWS\System32\wybeg.ini2 Has been deleted!  Attempting to delete C:\WINDOWS\System32\wybeg.tmp C:\WINDOWS\System32\wybeg.tmp Has been deleted! Performing Repairs to the registry. Done! Beginning removal...  Attempting to delete C:\WINDOWS\System32\gebyw.dll C:\WINDOWS\System32\gebyw.dll Has been deleted! Performing Repairs to the registry. Done!     and here is the hijackthis log:   Logfile of HijackThis v1.99.1 Scan saved at 7:39:13 PM, on 6/27/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\mHotkey.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe C:\Documents and Settings\All Users\Application Data\qtynqxkr.exe C:\Program Files\WinAntiSpyware 2007\was7.exe C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe C:\WINDOWS\TEMP\win15.tmp.exe C:\Program Files\Pop up Blocker\pd.exe C:\Program Files\Outerinfo\OuterinfoUpdate.exe C:\Documents and Settings\Keith  Bauer\Application Data\?ssembly
?pdb.exe C:\Program Files\BraveSentry\BraveSentry.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\mgrs.exe C:\Program Files\Microsoft Money\System\urlmap.exe C:\WINDOWS\csrss.exe C:\WINDOWS\System32undll32.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [gkugvkdA] C:\WINDOWS\gkugvkdA.exe O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe O4 - HKLM\..\Run: [{C4-42-25-55-ZN}] C:\windows\system32\msdsregk.exe SKY003 O4 - HKLM\..\Run: [Salestart] 'C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe' O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32	wintndt.exe SKY003 O4 - HKLM\..\Run: [p328d32] C:\WINDOWS\p328d32 O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWSetadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe O4 - HKLM\..\Run: [qtynqxkr.exe] C:\Documents and Settings\All Users\Application Data\qtynqxkr.exe O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] 'C:\Program Files\WinAntiSpyware 2007\was7.exe' /min O4 - HKLM\..\Run: [uwas7cw] 'C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe' -c O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win15.tmp.exe O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvrib.dll,startup O4 - HKLM\..\Run: [SC2] C:\WINDOWS\System32\scchk32.exe O4 - HKLM\..\Run: [icq.com] rundll32.exe 'C:\WINDOWS\System32\bhxqctmb.dll',forkonce O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe O4 - HKCU\..\Run: [Pop up Blocker] 'C:\Program Files\Pop up Blocker\pd.exe' Minimize O4 - HKCU\..\Run: [Usrr] 'C:\Program Files\Outerinfo\OuterinfoUpdate.exe' -vt yazb O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [Mmvdkne] 'C:\Documents and Settings\Keith  Bauer\Application Data\?ssembly
?pdb.exe' O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\System32\vexg6ame4.exe O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe O4 - HKCU\..\Run: [Outerinfo] 'C:\Program Files\Outerinfo\Outerinfo.exe' O4 - HKCU\..\Run: [OuterinfoUpdate] 'C:\Program Files\Outerinfo\OuterinfoUpdate.exe' O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32	wintndt.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\webelated.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: PD - {FE13CFB3-5D1B-4825-8186-B4C46A32B6B9} - C:\Program Files\Pop up Blocker\pd.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182926338125 O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx O21 - SSODL: VhAKQqjnqGne - {CC6C4256-66C6-E8FC-EDB7-168CAFCC23FD} - C:\WINDOWS\System32\mf.dll O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\System32\yodl.dll O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

bamajim · Answer

CrayolaMarkers06

Thanks for the file. I got it.

1. Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

You may have to post the results in more than one reply

bamajim Graduate of MRU

CastleCops Instructor

CrayolaMarkers0 · Answer

Im sorry, I had to reformat my hard drive because it was getting way too slow. Thank you for your help tho, do you have a suggestion for antivirus software.

bamajim · Answer

CrayolaMarkers06 Go HERE and download AVG free bamajim   Graduate of MRU CastleCops Instructor

Virus & Spyware

opups/slow internet

Was this post helpful?