I need help, Quick!
Greetings. I'm in urgent need of help with spyware attacks I have ad-aware 6 spybot s and d hijack this Thats it Well i get a pop up every minute or so. . . just 1 every minute for some random thing.
Greetings. I'm in urgent need of help with spyware attacks
I have ad-aware 6 spybot s and d
hijack this
Thats it
Well i get a pop up every minute or so... just 1 every minute for some random thing ... i know i dont have the big stuff like 180searchware or coolwwwsearch
Its not big thats why its wierd
but ok i scan on all 3 and get rid of all 3
i think its called elitejky32.exe and vimml.exe or something
and i get rid of them... but they come back...
Spyware gets rid of it then it just comes back.
What do i do, I really cant just reformat.
EDIT : Ok I figured out some things
Its called Ebates Moneymaker , i got rid of the registry thing
so ebates is gone
my new one is in the processes its called
Vimmll.exe
I cant find it in spybot or ad-aware and it only shows up on hijack but it comes back too... is there somthing i do for that?
I have ad-aware 6 spybot s and d
hijack this
Thats it
Well i get a pop up every minute or so... just 1 every minute for some random thing ... i know i dont have the big stuff like 180searchware or coolwwwsearch
Its not big thats why its wierd
but ok i scan on all 3 and get rid of all 3
i think its called elitejky32.exe and vimml.exe or something
and i get rid of them... but they come back...
Spyware gets rid of it then it just comes back.
What do i do, I really cant just reformat.
EDIT : Ok I figured out some things
Its called Ebates Moneymaker , i got rid of the registry thing
so ebates is gone
my new one is in the processes its called
Vimmll.exe
I cant find it in spybot or ad-aware and it only shows up on hijack but it comes back too... is there somthing i do for that?
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
If you have the elite toolbar download the elite toolbar remover:
http://www.majorgeeks.com/download.php?det=4465
If you are getting popups every minute or so, this may (or may not) be qoologic. If so, what is your OS?
http://www.majorgeeks.com/download.php?det=4465
If you are getting popups every minute or so, this may (or may not) be qoologic. If so, what is your OS?
Can we see your hijack this log?
What OS you got? XP?
If you got XP then:
Disable Simple File Sharing
1. Open My Computer from the Start Menu or Windows XP Desktop. A new My Computer window will appear.
2. Open the Tools menu and choose the "Folder Options..." option from this menu. A new Folder Options window will appear.
3. Click on the View tab and locate the "Use Simple File Sharing (Recommended)" checkbox in the list of Advanced Settings.
4. To enable Simple File Sharing, ensure this checkbox is checked. To disable Simple File Sharing, ensure this checkbox is not checked. Click inside the checkbox to alternately enable and disable the option.
5. Click OK to close the Folder Options window. The settings for Simple File Sharing are now updated; no computer reboot is required.
jerry atrik's tip
Quote:right click the nasty file (In your case: "vimmll.exe") properties/security tab/advanced
uncheck the "inherit from parent permissions" box
yes to the annoyance popup
apply
remove all users (including system) from the groups/users box
yes to the annoyance popup
reboot
the file is now unable to do anything
u can either leave it or re-take ownership and delete it
(because the system didnt have permission to load it it wont load at boot)
What OS you got? XP?
If you got XP then:
Disable Simple File Sharing
1. Open My Computer from the Start Menu or Windows XP Desktop. A new My Computer window will appear.
2. Open the Tools menu and choose the "Folder Options..." option from this menu. A new Folder Options window will appear.
3. Click on the View tab and locate the "Use Simple File Sharing (Recommended)" checkbox in the list of Advanced Settings.
4. To enable Simple File Sharing, ensure this checkbox is checked. To disable Simple File Sharing, ensure this checkbox is not checked. Click inside the checkbox to alternately enable and disable the option.
5. Click OK to close the Folder Options window. The settings for Simple File Sharing are now updated; no computer reboot is required.
jerry atrik's tip
Quote:right click the nasty file (In your case: "vimmll.exe") properties/security tab/advanced
uncheck the "inherit from parent permissions" box
yes to the annoyance popup
apply
remove all users (including system) from the groups/users box
yes to the annoyance popup
reboot
the file is now unable to do anything
u can either leave it or re-take ownership and delete it
(because the system didnt have permission to load it it wont load at boot)
Logfile of HijackThis v1.99.1
Scan saved at 11:36:52 AM, on 4/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\vimmll.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jordan\Desktop\Krap\HijackThis.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitejky32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vimmll.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I've known how to keep a clean fast computer until this everything feels slow i just cant stand it...
Any other info
Win xp pro
Scan saved at 11:36:52 AM, on 4/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\vimmll.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jordan\Desktop\Krap\HijackThis.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitejky32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vimmll.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I've known how to keep a clean fast computer until this everything feels slow i just cant stand it...
Any other info
Win xp pro
when i cant find the offending file i scan with adaware and look at the files it "can't" delete
http://www.majorgeeks.com/download.php?det=4465
download this and run in safe mode
Also, download the following:
http://lineofire.geekstogo.com/FindIt%20NT-2K-XP.zip
# Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.
# Navigate to the FindIt NT-2K-XP directory.
# Double-click on FindVX2.bat and wait for it to run.
# It should open a Notepad window with the FindVX2 log.
# Post the contents of FindVX2.txt into your next post.
This is a nice batch file. I've used it a couple times. In fact I already have an improved version of this, that I did on my own.
download this and run in safe mode
Also, download the following:
http://lineofire.geekstogo.com/FindIt%20NT-2K-XP.zip
# Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.
# Navigate to the FindIt NT-2K-XP directory.
# Double-click on FindVX2.bat and wait for it to run.
# It should open a Notepad window with the FindVX2 log.
# Post the contents of FindVX2.txt into your next post.
This is a nice batch file. I've used it a couple times. In fact I already have an improved version of this, that I did on my own.
Also, download and post the log of this program too.
http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981
http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981
Ok this is kind of big but
---------------- FindVX2 NT-2K-XP ----------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
***** Operating System *****
Microsoft Windows XP Professional 5.1 (Build 2600)
********* Date/Time ********
Thursday, April 21, 2005 (4/21/2005)
1:44 PM, Pacific Daylight Time
*********** Path ***********
FindVX2.bat is running from: C:\Documents and Settings\Jordan\Desktop\FindIt NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 50D1-34D6
Directory of C:\WINDOWS\System32
04/21/2005 12:14 PM <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 62,642,429,952 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 50D1-34D6
Directory of C:\WINDOWS\System32
04/21/2005 12:14 PM <DIR> dllcache
04/14/2005 01:06 PM 488 WindowsLogon.manifest
04/14/2005 01:06 PM 488 logonui.exe.manifest
04/14/2005 01:06 PM 749 nwc.cpl.manifest
04/14/2005 01:06 PM 749 sapi.cpl.manifest
04/14/2005 01:06 PM 749 wuaucpl.cpl.manifest
04/14/2005 01:06 PM 749 cdplayer.exe.manifest
04/14/2005 01:06 PM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 62,642,429,952 bytes free
--------------- Files Named "Guard" --------------
Volume in drive C has no label.
Volume Serial Number is 50D1-34D6
Directory of C:\WINDOWS\System32
-------- Temp Files in System32 Directory --------
Volume in drive C has no label.
Volume Serial Number is 50D1-34D6
Directory of C:\WINDOWS\System32
08/23/2001 05:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 62,642,425,856 bytes free
------------------- User Agent -------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""
--------------- Keys Under Notify ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------ Shell Extensions Approved -----------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
--------------- Locate.com Results ---------------
C:\WINDOWS\SYSTEM32\
cdplay~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
logonu~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K
ncpacp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
nwccpl~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
sapicp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
window~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K
wuaucp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K
---------------- FindVX2 NT-2K-XP ----------------
---------------- FindVX2 NT-2K-XP ----------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
***** Operating System *****
Microsoft Windows XP Professional 5.1 (Build 2600)
********* Date/Time ********
Thursday, April 21, 2005 (4/21/2005)
1:44 PM, Pacific Daylight Time
*********** Path ***********
FindVX2.bat is running from: C:\Documents and Settings\Jordan\Desktop\FindIt NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 50D1-34D6
Directory of C:\WINDOWS\System32
04/21/2005 12:14 PM <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 62,642,429,952 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 50D1-34D6
Directory of C:\WINDOWS\System32
04/21/2005 12:14 PM <DIR> dllcache
04/14/2005 01:06 PM 488 WindowsLogon.manifest
04/14/2005 01:06 PM 488 logonui.exe.manifest
04/14/2005 01:06 PM 749 nwc.cpl.manifest
04/14/2005 01:06 PM 749 sapi.cpl.manifest
04/14/2005 01:06 PM 749 wuaucpl.cpl.manifest
04/14/2005 01:06 PM 749 cdplayer.exe.manifest
04/14/2005 01:06 PM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 62,642,429,952 bytes free
--------------- Files Named "Guard" --------------
Volume in drive C has no label.
Volume Serial Number is 50D1-34D6
Directory of C:\WINDOWS\System32
-------- Temp Files in System32 Directory --------
Volume in drive C has no label.
Volume Serial Number is 50D1-34D6
Directory of C:\WINDOWS\System32
08/23/2001 05:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 62,642,425,856 bytes free
------------------- User Agent -------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""
--------------- Keys Under Notify ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------ Shell Extensions Approved -----------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
--------------- Locate.com Results ---------------
C:\WINDOWS\SYSTEM32\
cdplay~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
logonu~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K
ncpacp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
nwccpl~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
sapicp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
window~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K
wuaucp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K
---------------- FindVX2 NT-2K-XP ----------------
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* urllogic C:\WINDOWS\JMHHV.DLL
* qoologic C:\WINDOWS\JMHHV.DLL
* qoologic C:\WINDOWS\UNADBEH.EXE
* ad-beh C:\WINDOWS\System32\ADPPQ.DLL
* ad-beh C:\WINDOWS\System32\TSHHBBR.DLL
* ad-beh C:\WINDOWS\System32\WINUP2~1.DLL
* ad-beh C:\WINDOWS\System32\BDRRQQM.EXE
* ad-beh C:\WINDOWS\System32\VIMMLL.EXE
* ad-beh C:\WINDOWS\System32\WMCONFIG.CPL
* ad-beh C:\WINDOWS\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\docume~1\alluse~1\startm~1\programs\startup\NRPP.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f7ecc3
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
nrpp.exe
User Startup:
C:\Documents and Settings\Jordan\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk
<NO NAME> REG_SZ {ff549842-977e-454e-a730-3e4f5f3d81e3}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 14:54
Operating System: Windows XP
HKLM\Software\Microsoft\Active Setup\Installed Components\
"6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\bdrrqqm.exe" [null data]
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* urllogic C:\WINDOWS\JMHHV.DLL
* qoologic C:\WINDOWS\JMHHV.DLL
* qoologic C:\WINDOWS\UNADBEH.EXE
* ad-beh C:\WINDOWS\System32\ADPPQ.DLL
* ad-beh C:\WINDOWS\System32\TSHHBBR.DLL
* ad-beh C:\WINDOWS\System32\WINUP2~1.DLL
* ad-beh C:\WINDOWS\System32\BDRRQQM.EXE
* ad-beh C:\WINDOWS\System32\VIMMLL.EXE
* ad-beh C:\WINDOWS\System32\WMCONFIG.CPL
* ad-beh C:\WINDOWS\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\docume~1\alluse~1\startm~1\programs\startup\NRPP.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f7ecc3
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
nrpp.exe
User Startup:
C:\Documents and Settings\Jordan\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk
<NO NAME> REG_SZ {ff549842-977e-454e-a730-3e4f5f3d81e3}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 14:54
Operating System: Windows XP
HKLM\Software\Microsoft\Active Setup\Installed Components\
"6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\bdrrqqm.exe" [null data]
Okay.
This might be a pain, but go into safe mode.
bring up a command prompt.
Also, I prefer going into the Recovery Console.
go to the c:\windows directory by typing in:
cd\windows
then type in
attrib -r -h -s -a jmhhv.dll
attrib -r -h -s -a unadbeh.exe
erase jmhhv.dll
erase unadbeh.exe
cd system32
attrib -r -h -s -a adppq.dll
attrib -r -h -s -a tshhbbr.dll
attrib -r -h -s -a winup2~1.dll
attrib -r -h -s -a bdrrqqm.exe
attrib -r -h -s -a vimmll.exe
attrib -r -h -s -a wmconfig.cpl
erase adppq.dll
erase tshhbbr.dll
erase winup2~1.dll
erase bdrrqqm.exe
erase vimmll.exe
erase wmconfig.cpl
cd\docume~1\alluse~1\starm~1\programs\startup
attrib -r -h -s -a nrpp.exe
erase nrpp.exe
exit
then click start, run, regedit
now migrate to HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk
delete the key fmttkkxx
now migrate to
HKLM\Software\Microsoft\Active Setup\Installed Components\
delete the key "6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)
reboot back into normal mode, and give me your logs again.
If you have any questions before doing any of this, feel free to ask them.
Your problem is from the qoologic trojan downloader. Avast can find it, but not get rid of it. Norton can't find it, mcafee can't find it, adaware doesn't do anything, spybot nothing, MS antispyware doesn't fix it.
This roundabout way is the only way I know how to fix this. Though, I'm presently (unless someone beats me to it) making a program that is a bit more optimized.
This might be a pain, but go into safe mode.
bring up a command prompt.
Also, I prefer going into the Recovery Console.
go to the c:\windows directory by typing in:
cd\windows
then type in
attrib -r -h -s -a jmhhv.dll
attrib -r -h -s -a unadbeh.exe
erase jmhhv.dll
erase unadbeh.exe
cd system32
attrib -r -h -s -a adppq.dll
attrib -r -h -s -a tshhbbr.dll
attrib -r -h -s -a winup2~1.dll
attrib -r -h -s -a bdrrqqm.exe
attrib -r -h -s -a vimmll.exe
attrib -r -h -s -a wmconfig.cpl
erase adppq.dll
erase tshhbbr.dll
erase winup2~1.dll
erase bdrrqqm.exe
erase vimmll.exe
erase wmconfig.cpl
cd\docume~1\alluse~1\starm~1\programs\startup
attrib -r -h -s -a nrpp.exe
erase nrpp.exe
exit
then click start, run, regedit
now migrate to HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk
delete the key fmttkkxx
now migrate to
HKLM\Software\Microsoft\Active Setup\Installed Components\
delete the key "6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)
reboot back into normal mode, and give me your logs again.
If you have any questions before doing any of this, feel free to ask them.
Your problem is from the qoologic trojan downloader. Avast can find it, but not get rid of it. Norton can't find it, mcafee can't find it, adaware doesn't do anything, spybot nothing, MS antispyware doesn't fix it.
This roundabout way is the only way I know how to fix this. Though, I'm presently (unless someone beats me to it) making a program that is a bit more optimized.
The hard part is that not everything in those logs are considered bad.
I already have at home a batch file that does exactly the same as findit, except it is a bit more friendly. Also, it autocreates a batch file that needs to be run to fix these issues. But, it still needs some work. Like some error level checks.
I've been writing batch files for about 10 years. My favourite ones were when ansi.sys was popular......
I already have at home a batch file that does exactly the same as findit, except it is a bit more friendly. Also, it autocreates a batch file that needs to be run to fix these issues. But, it still needs some work. Like some error level checks.
I've been writing batch files for about 10 years. My favourite ones were when ansi.sys was popular......
