Member Panel

davesmith20

Hello, I hope you can help me i think i have 2 issues the first is that everytime i log in to XP i get a message that states C:\WINDOWS\cfmgr52.dll . I am also getting all kind of pop ups that i cannot get rid of. I am attaching my ewido logfiles and my hijackthis logfiles. Thanks DaveScan report_20060511.txt.txt

hijackthis.log

btalman

Hi dave and welcome to PCHF,
Please follow the prework and post the hijackthislog in the hijackthis section of the site where an expert will help you asap
Good luck, Bram

davesmith20

Thank you for your response i have completed everything in the prework section. I will post my hijackthis logfiles here. Thanks Dave

hijackthis.log

Scan report_20060511.txt.txt

joe5

@BT , looks like he had already done the Prework.

@Dave , ouch , youre pc must be running pretty slow i think? You have lots of malware on there.

First run ewido again and let it fix what it finds this time.

Then download and run this tool:
http://securityresponse.symantec.com...r/FxIstbar.exe

After that look for any of these in add/remove programs , and uninstall them if present:

Nick Aracde
SafeSurfing
Xupiter OrbitExplorer toolbar
Orbit
AdTools Service
Target Saver
SpyBlast
EQBranch
virtualbouncer
FullContext

Then boot youre pc in safemode.

Click Start>Run and type in: services.msc
Click OK
In the Services window find: Windows Overlay Components
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Open HJT and click config > misc tools > “delete an NT service”
Copy and past: Windows Overlay Components
Click OK.

After that fix these with hjt:
(if still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {D776F591-6DEA-12DA-467A-266D71416CAB} - C:\WINDOWS\rhtmzoxz.dll (file missing)
O2 - BHO: NICKARCADE - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O2 - BHO: (no name) - {5F018A10-44D4-9F7C-96C3-1BCCCEEF6149} - C:\WINDOWS\rhtmzoxz.dll (file missing)
O2 - BHO: (no name) - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - (no file)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll (file missing)
O3 - Toolbar: NICKARCADE - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: Search - {B6081F4A-8A1A-9613-0116-85E112417F43} - C:\WINDOWS\rhtmzoxz.dll (file missing)
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [windows] xax.exe
O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Lora\LOCALS~1\Temp\342x43.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [f¸ï0+¿ðÇà_-8àaöž–C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jqqwe.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [uqeeguy] C:\WINDOWS\uqeeguy.exe
O4 - HKLM\..\Run: [ekfxkdl] C:\WINDOWS\ekfxkdl.exe
O4 - HKLM\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKLM\..\Run: [{B7-7F-F6-62-ZN}] C:\windows\system32\rrdsregn.exe FI002
O4 - HKLM\..\RunServices: [windows] xax.exe
O4 - HKCU\..\Run: [SpyBlast] C:\Program Files\SpyBlast\SpyBlast.exe /autorun
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinssag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do...bridge-c46.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...WBInitialSetup 1.0.0.15.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll
O20 - AppInit_DLLs: jkcbnjpn.dll,Runner.dll,EQMini.dll
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\aoadouz.exe (file missing)

And then manually delete the files in bold. Also do a search for these files and delete them aswell:

xax.exe
jkcbnjpn.dll
runner.dll
EQMini.dll

Then reboot to normal mode and do a panda online AV scan here:

http://www.pandasoftware.com/products/activescan

When done , please post the Panda log and a new hjt log.

davesmith20

Thanks for your help Joe i completed everything you told me to do and it definitely helped i am posting the panda logs and hjt logs here Thanks Dave

Activescan.txt

hijackthis.log

joe5

Looking very good

, youre hjt log is clean now but still a bunch of files to delete:

Download Pocket Killbox:
http://www.atribune.org/downloads/KillBox.exe

Start Killbox and place a tick next to [x]delete on reboot.
And press the "all files" button. (just above the yellow triangle)

Copy this list into the windows clipboard:

C:\WINDOWS\system\QBUninstaller.exe
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\inf\biD.inf
C:\WINDOWS\inf\CC_43.inf
C:\WINDOWS\inf\CC_43.PNF
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\system32\InstallerV4.exe
C:\WINDOWS\rgrt.exe
C:\WINDOWS\Fiqrumpjz.puy\rk1.exe
C:\WINDOWS\eliteunstall.exe
C:\WINDOWS\rk.exe
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
C:\WINDOWS\system32\EQMini.dll
C:\WINDOWS\system32\InstallerV3.exe
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\drivers\dfdr.sys
C:\WINDOWS\system32\drivers\etc\hosts.bho

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.

Exit Killbox and restart your PC.

Are you still having any problems with youre pc?

davesmith20

Sorry it took so long to get back with you. Yes i am still having problems. First i was trying to post the list to windows clipboard, but i cannot find it, and i am not sure how to do it. The second i have lost Yahoo Messenger and i cant get it back. I un-installed it and tried to re-install but it wont do anything not even create a shortcut. Now i am in trouble wit my wife lol Hope you can help

Thanks Dave

Member Panel

Sponsors and Ads

Noticeboard