Hello, Like many others on this forum, I've been plagued by this awful trojan. I've taken many steps to get rid of it, but not having much luck. I've scanned with Norton and it was able to find and delete 5 virus files in safe mode. Ran Spybot and Adaware in that order and gotten rid of some more stuff. In addition, I've cleared out temp files and removed all foreign programs. So, I've come to running Hijack this and I tried to do some fixing myself, but I'm hesitant because I don't want to screw up my system royally. Are there any other programs to run that require less knowledge. Thanks, Jason

[Reply or follow-up to this message]

A lot of trojans have to be removed manually.

[Reply or follow-up to this message]

You can post your Hijack This log here. I'll have a look, and see if I can help. 
If not, perhaps someone else will jump in. Fixing most entries in HJT doesn't delete 
them, but it'll show where things are located.

First, please run an online virus scan, but disable System Restore before the scan, 
if it's enabled. You'll also need to temporarily disable Norton. 
CA eTrust 'Scan for Virus'

Be sure to get rid of any older versions of HJT and download the current one: 
Hijack This 1.99.1 Unzip HJT into a new folder. Example: C:\HJT. It 
creates backups of all fixed entries, and they're automatically saved in the same 
location.  Log off the net, then close all other open windows. Run 'HijackThis.exe. 
Click "Do a system scan and save a logfile".

Once the scan is finished, the log will automatically open in Notepad. Select all 
and copy/paste the entire log here in a post.  Please click "Check this box to 
preserve your spacing...", before posting your log. 



Dealing with Unwanted Spyware and Parasites

Hi Carol,

Thanks so much for looking at this. I've been going nuts with this and I really don't 
want to have to hire a consultant to get rid of a virus. I've managed to get rid 
of a lot of stuff, but it seems to come back all the time under a different virus 
name. I think I'm just missing the re-installation files. Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 1:07:49 AM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\jqobpp.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride 
= 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program 
Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper100.dll 
(file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program 
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\System32\stlb2.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll 
(file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\xrachwcm.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsw124.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program 
files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton 
AntiVirus\NavShExt.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program 
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\stlb2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [qimfoc] C:\WINDOWS\System32\qimfoc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP 
Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [nrpkdll] C:\WINDOWS\nrpkdll.EXE
O4 - HKLM\..\Run: [qtjpenc] C:\WINDOWS\qtjpenc.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jqobpp.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [u37W3pT] uspin.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [ehwodll] C:\WINDOWS\ehwodll.EXE
O4 - HKLM\..\Run: [ehwoenc] C:\WINDOWS\ehwoenc.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP 
Scheduler.exe"
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [jchndll] C:\WINDOWS\jchndll.EXE
O4 - HKLM\..\Run: [jchnenc] C:\WINDOWS\jchnenc.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [mscin] C:\WINDOWS\system32\m190309.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [zgkvdll] C:\WINDOWS\zgkvdll.exe
O4 - HKLM\..\Run: [zgkvenc] C:\WINDOWS\zgkvenc.exe
O4 - HKLM\..\Run: [dkcldll] C:\WINDOWS\dkcldll.exe
O4 - HKLM\..\Run: [guerenc] C:\WINDOWS\guerenc.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ohmt] C:\Program Files\ueeu\adhp.exe
O4 - HKCU\..\Run: [Tswd] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [oiwz] C:\PROGRA~1\COMMON~1\oiwz\oiwzm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe 
Gamma Loader.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 
9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - 
C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - 
http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) 
- http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\ShmRedir.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program 
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation 
- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation 
- C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation 
- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe 
(file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, 
Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\mfpqsvc.exe

Thanks,
Jason 






On Friday, July 29, 2005 at 11:32 pm, Carol J wrote:

>

>You can post your Hijack This log here. I'll have a look, and see if I can help. 

>If not, perhaps someone else will jump in. Fixing most entries in HJT doesn't delete 

>them, but it'll show where things are located.

>

>First, please run an online virus scan, but disable System Restore before the scan, 

>if it's enabled. You'll also need to temporarily disable Norton. 
>color="006699">

>CA eTrust 'Scan for Virus'

>

>Be sure to get rid of any older versions of HJT and download the current one: 
>href="http://www.majorgeeks.com/download3155.html">

>Hijack This 1.99.1 Unzip HJT into a new folder. Example: C:\HJT. It 

>creates backups of all fixed entries, and they're automatically saved in the same 

>location.  Log off the net, then close all other open windows. Run 'HijackThis.exe. 

>Click "Do a system scan and save a logfile".

>

>Once the scan is finished, the log will automatically open in Notepad. Select all 

>and copy/paste the entire log here in a post.  Please click "Check this box to 

>preserve your spacing...", before posting your log. 

>

>

>


>
>color="003399">Dealing with Unwanted Spyware and Parasites 

Hi Jason,

I've been going through your log, and you really have a mess of adware, a few downloader 
trojans (which continue to download and run more adware everytime you connect to 
the net), another infection called the Qoologic trojan, etc.

Considering the extent of the infection, I suggest you get expert help on a malware 
support forum. It's going to require several steps and various logs to clear it all 
up. I suggest Security Central, it's a newer forum so it's not swamped as others. 

Security Central

Spyware Warrior forum

cexx.org discussion boards

Be sure to follow their cleaning instructions before you post a HijackThis log. The 
entries in the log will continue to change, so you'll need to post a new one. Let 
them know what the problem is, and what cleaning you've done so far. Some of the 
experts assist users on many different forums, so please post on only one forum

In the meantime, stay off the net as much as possible. Better yet, if you have a 
DSL or Cable internet connection, pull the plug until you get this cleaned up. This 
will be more difficult to get rid of otherwise. That's if at all possible, and you 
have easy access to another machine, which you can use to post messages from and 
transfer logs via a floppy disk.



Dealing with Unwanted Spyware and Parasites

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum