|
Search Tech-Forums - link takes you to our Forum's search page. Note: The following is only a text archive! To view the actual forum discussion, please visit our website at http://www.tech-forums.net Pages:1 could someone help me?(Click here to view the original thread with full colors/images)Posted by: grumplefuz I came across this site when trying to find a solution to my computer ailments. I am having trouble especially with this Bman! I downloaded hijack this...and I will post the log. I would appreciate if anyone can lead me in what to do to rid some of these problems. They are driving me crazy! Thank you anyone!! Logfile of HijackThis v1.99.1 Scan saved at 7:51:07 PM, on 4/11/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\S4F\Filter7.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\soft602\pdfSaver.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\RUNDLL32.exe C:\WINDOWS\System32\ramlra.exe C:\WINDOWS\YKOLDLL.EXE C:\WINDOWS\BNIQENC.EXE C:\WINDOWS\System32\exp.exe C:\WINDOWS\System32\wintask.exe C:\WINDOWS\System32\d3diptpw.exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\WINDOWS\System32\w?nlogon.exe C:\Documents and Settings\Administrator\Application Data\ucae.exe C:\WINDOWS\System32\cretilse.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\S4F\filter7.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\BundleLite_westfrontier1001.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.955\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://start.earthlink.net[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.earthlink.net/partner/more/msie/button/search.html[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://start.earthlink.net/AL/Search[/url] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://start.earthlink.net[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://my.netzero.net/s/search?r=minisearch[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://my.netzero.net/s/search?r=minisearch[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://start.earthlink.net/AL/Search[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://my.netzero.net/s/search?r=minisearch[/url] R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsr54.dll O2 - BHO: (no name) - {DC807999-E22A-C7F2-715A-9F5B212F60C7} - C:\WINDOWS\System32\tksfq.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe" O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [OSS] C:\WINDOWS\system32\ossproxy.exe -boot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\soft602\pdfSaver.exe" O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ramlra.exe O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteajj32.exe O4 - HKLM\..\Run: [YKOLDLL] C:\WINDOWS\YKOLDLL.EXE O4 - HKLM\..\Run: [BNIQENC] C:\WINDOWS\BNIQENC.EXE O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\tempdl\GSM2.exe O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [373U3pQ] d3diptpw.exe O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BundleLite_west frontier1001.exe run O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun O4 - HKCU\..\Run: [Hfzqlbo] C:\WINDOWS\System32\w?nlogon.exe O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w O4 - HKCU\..\Run: [Esra] C:\Documents and Settings\Administrator\Application Data\ucae.exe O4 - HKCU\..\Run: [Iws8RfcnP] cretilse.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\Cache\Advtg.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - [url]http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab[/url] O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - [url]http://www.errorguard.com/installation/Install.cab[/url] O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - [url]http://aolcc.aol.com/computercheckup/qdiagcc.cab[/url] O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - [url]http://www3.ca.com/securityadvisor/virusinfo/webscan.cab[/url] O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - [url]http://chat.yahoo.com/cab/yuplapp.cab[/url] O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - [url]http://www.alwaysupdatednews.com/install/aun_0015.exe[/url] O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab[/url] O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe Posted by: MicroBell grumplefuz: You have a very nasty rootkit hijacker which will take several steps to remove. Please post the logs from the following tools... Download and install CleanUp [url]http://cleanup.stevengould.org/[/url] Download KillBox [url]http://www.atribune.org/downloads/KillBox.exe[/url] Download [b]Rkfiles.zip[/b] [url]http://skads.org/special/rkfiles.zip[/url] UNZIP the contents to a permanent folder on your desktop. Download the following attachment [b]remv3.zip[/b] [url]http://forums.skads.org/index.php?showtopic=80[/url] Make a folder on the root drive C:\ and unzip the files into it. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. **Note**For XP/ME... [b]DO NOT DISABLE SYSTEM RESTORE YET!!![/b] This is in case you make a mistake in deleting a file on either of the logs. You will address this at the end of the fix.!! Now run the Cleanup utility and reboot/logoff when prompted. [b]REBOOT TO SAFE MODE[/b]… These tools [b]MUST[/b] be run in safe mode!! Once in safe mode… Double click [b]rkfiles.bat[/b] It will scan for awhile, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it [b]log1.txt[/b]. Now Open the folder were you saved [b]remv3.zip[/b] files and double click the [b]rem.bat[/b] file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\[b]log.txt[/b] and bad1.txt [color=blue]**Note** Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tools log before running the other as it will overwrite the file if you don’t.[/color] Reboot back to normal mode and post the contents of both the [b]log.txt and log1.txt[/b] in your next post Posted by: grumplefuz It took me awhile...but I finally did everything:) Here are the results for log... Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is B053-F6D9 Directory of C:\WINDOWS\system32 msi.dll Finished and log1..... \antispyware\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\AUNPS2.dll: UPX! C:\WINDOWS\system32\avisynth.dll: UPX! C:\WINDOWS\system32\bi4.exe: UPX! C:\WINDOWS\system32\in5b4s.dll: UPX! C:\WINDOWS\system32\in5b4s.dll: UPX! C:\WINDOWS\system32\nopqn.dll: UPX! C:\WINDOWS\system32\pacis.exe: UPX! C:\WINDOWS\system32\pav.sig: UPX! C:\WINDOWS\system32\pehbpep.dll: UPX! C:\WINDOWS\system32\qgbyq.dat: UPX! C:\WINDOWS\system32\ramlra.exe: UPX! C:\WINDOWS\system32\winup2date.dll: UPX! C:\WINDOWS\system32\winupdt.exe: UPX! C:\WINDOWS\system32\wmconfig.cpl: UPX! C:\WINDOWS\system32\eliteajj32.exe: FSG! C:\WINDOWS\system32\elitegfv32.exe: FSG! C:\WINDOWS\system32\eliteipu32.exe: FSG! C:\WINDOWS\system32\eliterjr32.exe: FSG! C:\WINDOWS\system32\elitetgx32.exe: FSG! C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213 Files Found in all users startup Folder............ ------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dupc.exe: UPX! Files Found in all users windows Folder............ ------------------------ Finished bye I have no idea what any of this means or what to do from here. So I appreciate your time more than you could know! shana aka grumplefuz Posted by: MicroBell shana: We are going to attack this in 2 steps. In the first we will run a fix on your current hijackthis log and on the 2nd the rootkit hijacker. You may want to print these instructions out so you can follow along. Don't miss, skip, or take out of order any of the steps. STEP1.... Please move hijackthis to its own folder on C: (C:\HJT) [color=blue][b]Before attacking an adware/spyware problem with hijackthis make sure you have already run[color=red] ad-aware SE[/color] with [color=red]VX2[/color] add-on cleaner, [color=red]Spybot Search & Destroy[/color] (with updated database) and [color=red]CWShredder[/color] as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..[/color][/b] If you have a highspeed connection please Run an online virus scan from [URL=http://housecall.trendmicro.com/housecall/start_corp.asp ][b]TrendMicro[/b][/URL] Please select the “autoclean” option when prompted to do so. Download and install [b]CleanUp[/b] [url]http://cleanup.stevengould.org/[/url] Download [b]KillBox[/b] [url] [url]http://www.atribune.org/downloads/KillBox.exe[/url] [/url] Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Make sure you have a restore point..before running the fix. We will address the restore folder at the end. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed. [b]New.net/NewDotNet Media Access GMedia2 Ebates Web Offer[/b] Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) [b]C:\WINDOWS\System32\winupdt.exe C:\WINDOWS\System32\ramlra.exe C:\WINDOWS\YKOLDLL.EXE C:\WINDOWS\BNIQENC.EXE C:\WINDOWS\System32\exp.exe C:\WINDOWS\System32\wintask.exe C:\WINDOWS\System32\d3diptpw.exe C:\WINDOWS\System32\w?nlogon.exe C:\WINDOWS\System32\cretilse.exe[/b] Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) [b]O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsr54.dll O2 - BHO: (no name) - {DC807999-E22A-C7F2-715A-9F5B212F60C7} - C:\WINDOWS\System32\tksfq.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [OSS] C:\WINDOWS\system32\ossproxy.exe -boot O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ramlra.exe O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteajj32.exe O4 - HKLM\..\Run: [YKOLDLL] C:\WINDOWS\YKOLDLL.EXE O4 - HKLM\..\Run: [BNIQENC] C:\WINDOWS\BNIQENC.EXE O4 - HKLM\..\Run: [GMedia2] C:\WINDOWS\tempdl\GSM2.exe O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [373U3pQ] d3diptpw.exe O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BundleLite_west frontier1001.exe run O4 - HKCU\..\Run: [Hfzqlbo] C:\WINDOWS\System32\w?nlogon.exe O4 - HKCU\..\Run: [Esra] C:\Documents and Settings\Administrator\Application Data\ucae.exe O4 - HKCU\..\Run: [Iws8RfcnP] cretilse.exe O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\Cache\Advtg.exe O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - [url]http://www.uproar.com/applets/activ...pside_web18.cab[/url] O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - [url]http://www.errorguard.com/installation/Install.cab[/url] O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - [url]http://www.alwaysupdatednews.com/install/aun_0015.exe[/url][/b] Delete the following Files/Folders in [color=red][b]RED[/color][/b] (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) [b]C:\WINDOWS\System32\[color=red]winupdt.exe[/color] C:\WINDOWS\System32\[color=red]ramlra.exe[/color] C:\WINDOWS\[color=red]YKOLDLL.EXE[/color] C:\WINDOWS\[color=red]BNIQENC.EXE[/color] C:\WINDOWS\System32\[color=red]exp.exe[/color] C:\WINDOWS\System32\[color=red]wintask.exe[/color] C:\WINDOWS\System32\[color=red]d3diptpw.exe[/color] C:\WINDOWS\System32\[color=red]w?nlogon.exe[/color] C:\WINDOWS\System32\[color=red]cretilse.exe[/color] C:\WINDOWS\System32\[color=red]tksfq.dll[/color] C:\WINDOWS\System32\[color=red]nsr54.dll[/color] C:\WINDOWS\system32\[color=red]ossproxy.exe [/color] C:\PROGRA~1\[color=red]NEWDOT~1\NEWDOT~1.DLL[/color] C:\Documents and Settings\All Users\Application Data\[color=red]msw\BMan1.exe[/color] C:\windows\system32\[color=red]eliteajj32.exe[/color] C:\WINDOWS\[color=red]tempdl\GSM2.exe[/color] C:\WINDOWS\System32\[color=red]pacis.exe[/color] C:\Program Files\[color=red]Media Access\MediaAccK.exe[/color] C:\Documents and Settings\Administrator\Application Data\[color=red]ucae.exe[/color] C:\WINDOWS\System32\Cache\[color=red]Advtg.exe[/color] C:\Program Files\[color=red]Ebates_MoeMoneyMaker\Sy350\Tp350\ scri350a.htm[/b][/color] Now run the cleanup utility and reboot/logoff when prompted. Now proceed to step 2. ========================================== STEP2.. Reboot into safe mode.. Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask to reboot now...click [b]NO[/b]...and proceed with the next file. Once you get to the last one click [b]YES[/b] and it will reboot. [color=blue]**Note** Some of these may already be gone...but put them in anyway. Make sure you do not miss any! If once you reach the last one and get a "Pending File Operation" message just reboot manually.[/color] [b]C:\WINDOWS\system32\AUNPS2.dll C:\WINDOWS\system32\avisynth.dll C:\WINDOWS\system32\bi4.exe C:\WINDOWS\system32\in5b4s.dll C:\WINDOWS\system32\in5b4s.dll C:\WINDOWS\system32\nopqn.dll C:\WINDOWS\system32\pacis.exe C:\WINDOWS\system32\pehbpep.dll C:\WINDOWS\system32\qgbyq.dat C:\WINDOWS\system32\ramlra.exe C:\WINDOWS\system32\winup2date.dll C:\WINDOWS\system32\winupdt.exe C:\WINDOWS\system32\wmconfig.cpl C:\WINDOWS\system32\eliteajj32.exe C:\WINDOWS\system32\elitegfv32.exe C:\WINDOWS\system32\eliteipu32.exe C:\WINDOWS\system32\eliterjr32.exe C:\WINDOWS\system32\elitetgx32.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dupc.exe[/b] Once your rebooted...boot back to safe mode and run [b]rkfiles[/b] again and save it's log. Run cleanup again and reboot back to normal windows. Then download the following tool and run.... Download this virus checker and tool from eScan [URL=http://www.mwti.net/antivirus/mwav.asp][b]Mwav.exe[/b][/URL] (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the [b] Mwav.exe[/b] file.[color=blue](This is a stand alone tool and NOT just a virus checker......so it won't install anything)[/color] 4.Select all local drives, scan all files, press [b]SCAN[/b] and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and [b]Highlight[/b] all the info in the Lower pane--- Use [b]"CTRL C"[/b] on your Keyboard to copy all found in the lower pane and save it to a notepad file [color=red]*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.[/color] We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log. So I need the following logs.... Mwav log Hijackthis log Rkfiles log Posted by: grumplefuz ok! Things are looking up. Here are the rest of the logs...... hijackthis....... Logfile of HijackThis v1.99.1 Scan saved at 8:08:27 PM, on 4/12/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\S4F\Filter7.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\soft602\pdfSaver.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\ramlra.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Web_Rebates\WebRebates1.exe C:\Program Files\WinRAR\WinRAR.exe C:\WINDOWS\System32\msiexec.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Web_Rebates\WebRebates0.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX10.742\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://start.earthlink.net[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.earthlink.net/partner/more/msie/button/search.html[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://start.earthlink.net/AL/Search[/url] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://start.earthlink.net[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://my.netzero.net/s/search?r=minisearch[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://my.netzero.net/s/search?r=minisearch[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://start.earthlink.net/AL/Search[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://my.netzero.net/s/search?r=minisearch[/url] R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe" O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\soft602\pdfSaver.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ramlra.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - [url]http://aolcc.aol.com/computercheckup/qdiagcc.cab[/url] O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - [url]http://www3.ca.com/securityadvisor/virusinfo/webscan.cab[/url] O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - [url]http://chat.yahoo.com/cab/yuplapp.cab[/url] O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab[/url] O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe now for the mwav File C:\Documents and Settings\Administrator\Application Data\ucae.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken. and finally, the rkfiles..... C:\antispyware\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\pav.sig: UPX! C:\WINDOWS\system32\ramlra.exe: UPX! C:\WINDOWS\system32\eliterjr32.exe: FSG! C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213 Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ Finished bye there are a few that seem to be pretty resiliant....ramlra for instance........ but things are already running much more smoothly. You are the greatest!!!!!!!!!!!!!! Anything else I should do? Can you recommend a way I can prevent this in the future? thanks again!!!!!!!!!!!!!!!!!!!!!!!!!!!!1 shana Posted by: MicroBell We will address that at the end. Still got some baddies. Reboot into safe mode. Open task manager and KILL this process.. [b]C:\WINDOWS\System32\ramlra.exe[/b] Run KILLBOX again using the same instructions and put these files in the box.... [b]C:\WINDOWS\system32\ramlra.exe C:\WINDOWS\system32\eliterjr32.exe C:\Documents and Settings\Administrator\Application Data\ucae.exe[/b] Once back to normal windows KILL the following processes [b]C:\Program Files\Web_Rebates\WebRebates1.exe C:\Program Files\Web_Rebates\WebRebates0.exe[/b] run hijackthis again and fix the following... [b]O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ramlra.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm[/b] C:\Program Files\[b]Web_Rebates[/b] <--delete that folder. Run the cleanup utility and reboot/logoff when prompted. Then give me another set of all 3 logs. Things you can do to prevent this..... a. Update both XP and IE6 with the latest service packs. IN reality this PC should not even be on the net. You have NO protection. b. Please read through the spyware prevention section on how to protect yourself from spyware/adware [b][URL=http://www.greyknight17.com/spyware.htm]Here[/URL][/b] and use the recommend programs and methods to protect yourself! Posted by: grumplefuz ok. I now have norton installed. Hopefully not too late. In safe-mode...the ramla process does not run..so I could not kill it. It would only run in normal boot. I didnt delete it in normal because I didnt know if I should. Kill-bot still didnt get it, and when I tried to delete the folder..it wouldnt let me. It wouldnt let me delete the rebates one either:( Here is what I have rkfiles ntispyware\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\nopqn.dll: UPX! C:\WINDOWS\system32\pav.sig: UPX! C:\WINDOWS\system32\qgbyq.dat: UPX! C:\WINDOWS\system32\ramlra.exe: UPX! C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213 Files Found in all users startup Folder............ ------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dupc.exe: UPX! Files Found in all users windows Folder............ ------------------------ Finished bye mwav......(I let it run for over an hour..not just on the drives)Is all this crap still on the computer???!!!! File C:\WINDOWS\System32\pehbpep.dll infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\ramlra.exe infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\cxrqcxc.exe infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\ramlra.exe infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dupc.exe infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "mywebsearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "mysearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "web rebates Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "untopr1150 Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "Web_Rebates Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "elitetoolbar Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "lq Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "Narrator Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "VGroup Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "autoloader Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINDOWS\BNIQENC.EXE infected by "Trojan-Downloader.Win32.VB.hj" Virus. Action Taken: No Action Taken. File C:\WINDOWS\Helper101.dll infected by "Trojan-Clicker.Win32.Delf.r" Virus. Action Taken: No Action Taken. File C:\WINDOWS\NDNuninstall6_38.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken. File C:\WINDOWS\YKOLDLL.EXE infected by "Trojan-Downloader.Win32.VB.hj" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\BundleLite_westfrontier1001.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\dist001.exe infected by "Trojan-Downloader.Win32.VB.eu" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\EDow_AS2.exe infected by "not-a-virus:AdWare.Wintol.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\javex80.vxd infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\nopqn.dll infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\pehbpep.dll infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\qgbyq.dat infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. and finally, the hijackthis.... ile of HijackThis v1.99.1 Scan saved at 8:10:09 PM, on 4/13/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\S4F\Filter7.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\soft602\pdfSaver.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\ramlra.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\S4F\filter7.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mwavscan.com C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavss.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.727\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://start.earthlink.net[/url] am I doing something wrong?? Thanks again for all your help, you saved my computer and Lord knows you did not have to. You could have made it worse if you weren't nice:) shana Posted by: MicroBell You must be doing something wrong as KILLBOX removes the file regardless if it's in use or not when the system is rebooted. Ok...lets try again... Disconnect this PC from any internet access. Run the cleanup utility and reboot/logoff when prompted. Once your back to normal windows....reboot into safe mode. Open task manager and KILL this process if it's running... [b]C:\WINDOWS\System32\ramlra.exe[/b] Now Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says [b]"Delete on Reboot"[/b], [b]Unload Explorer shell"[/b] and checkmark the box [b]"Unregister DLL"[/b] (If available) Click the RED X and a box pops up asking you to confirm deletion...say [b]Yes[/b] and it will ask to reboot now...click [b]NO[/b]...and proceed with the next file. Once you get to the last one click [b]YES[/b] and it will reboot. **Note** You need to do each file one at a time. Copy and past the whole path in the box. Miss one....and the fix fails. [b]C:\WINDOWS\system32\nopqn.dll C:\WINDOWS\system32\qgbyq.dat C:\WINDOWS\system32\ramlra.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dupc.exe C:\WINDOWS\System32\pehbpep.dll C:\WINDOWS\System32\cxrqcxc.exe C:\WINDOWS\BNIQENC.EXE C:\WINDOWS\Helper101.dll C:\WINDOWS\NDNuninstall6_38.exe C:\WINDOWS\woinstall.exe C:\WINDOWS\YKOLDLL.EXE C:\WINDOWS\System32\BundleLite_westfrontier1001.exe C:\WINDOWS\System32\dist001.exe C:\WINDOWS\System32\EDow_AS2.exe C:\WINDOWS\System32\javex80.vxd C:\WINDOWS\System32\psis80ex.ax[/b] Once you reboot run the cleanup utility again. Then to be safe run the same deletion process again in normal mode. Once you reboot from the second run...reconnect your internet connection and give me a new set of the following logs... hijackthis Mwav Rkfiles The problem is your OS is so outdated and unprotected that the spyware/adware is being replaced as we remove it. If this fails...and we end up right back here....you will need to install those programs from that link I provided and update both XP and IE6 with the service packs and ALL critical updates before we go any further. You will also need to install a firewall to prevent this stuff from getting downloaded. Posted by: Warez Monster Remove entries at your own risk C:\Program Files\S4F\Filter7.exe This is a unknown process. C:\Program Files\S4F\filter7.exe This is a unknown process. Posted by: Liquidtricity Actually filter7.exe is the executable file for the "Filterpak for Windows". Removing of these entries could sever a very delicate tie between a number of Winsock layers and the program running them. Before removing those entries please call your software vendor for this product or at worst the program manufacturer at 918-524-1010. You can also email your problem to [email]support@familyconnect.com[/email] Posted by: Warez Monster this is dead vBulletin Copyright ©2000 - 2003, Jelsoft Enterprises Limited. PPC Management vB Easy Archive Final - Created by Xenon |