[Fixed] spyware problems

davesmith20 · 05-11-2006

Hello, I hope you can help me i think i have 2 issues the first is that everytime i log in to XP i get a message that states C:\WINDOWS\cfmgr52.dll . I am also getting all kind of pop ups that i cannot get rid of. I am attaching my ewido logfiles and my hijackthis logfiles. Thanks DaveScan report_20060511.txt.txt

hijackthis.log

btalman · 05-11-2006

Hi dave and welcome to PCHF,
Please follow the prework and post the hijackthislog in the hijackthis section of the site where an expert will help you asap
Good luck, Bram

davesmith20 · 05-12-2006

Thank you for your response i have completed everything in the prework section. I will post my hijackthis logfiles here. Thanks Dave

hijackthis.log

Scan report_20060511.txt.txt

joe5 · 05-12-2006

@BT , looks like he had already done the Prework.

@Dave , ouch , youre pc must be running pretty slow i think? You have lots of malware on there.

First run ewido again and let it fix what it finds this time.

Then download and run this tool:
http://securityresponse.symantec.com...r/FxIstbar.exe

After that look for any of these in add/remove programs , and uninstall them if present:

Nick Aracde
SafeSurfing
Xupiter OrbitExplorer toolbar
Orbit
AdTools Service
Target Saver
SpyBlast
EQBranch
virtualbouncer
FullContext

Then boot youre pc in safemode.

Click Start>Run and type in: services.msc
Click OK
In the Services window find: Windows Overlay Components
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Open HJT and click config > misc tools > “delete an NT service”
Copy and past: Windows Overlay Components
Click OK.

After that fix these with hjt:
(if still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {D776F591-6DEA-12DA-467A-266D71416CAB} - C:\WINDOWS\rhtmzoxz.dll (file missing)
O2 - BHO: NICKARCADE - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O2 - BHO: (no name) - {5F018A10-44D4-9F7C-96C3-1BCCCEEF6149} - C:\WINDOWS\rhtmzoxz.dll (file missing)
O2 - BHO: (no name) - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - (no file)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll (file missing)
O3 - Toolbar: NICKARCADE - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: Search - {B6081F4A-8A1A-9613-0116-85E112417F43} - C:\WINDOWS\rhtmzoxz.dll (file missing)
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [windows] xax.exe
O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Lora\LOCALS~1\Temp\342x43.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [f¸ï0+¿ðÇà_-8àaöž–C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jqqwe.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [uqeeguy] C:\WINDOWS\uqeeguy.exe
O4 - HKLM\..\Run: [ekfxkdl] C:\WINDOWS\ekfxkdl.exe
O4 - HKLM\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKLM\..\Run: [{B7-7F-F6-62-ZN}] C:\windows\system32\rrdsregn.exe FI002
O4 - HKLM\..\RunServices: [windows] xax.exe
O4 - HKCU\..\Run: [SpyBlast] C:\Program Files\SpyBlast\SpyBlast.exe /autorun
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinssag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do...bridge-c46.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...WBInitialSetup 1.0.0.15.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll
O20 - AppInit_DLLs: jkcbnjpn.dll,Runner.dll,EQMini.dll
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\aoadouz.exe (file missing)

And then manually delete the files in bold. Also do a search for these files and delete them aswell:

xax.exe
jkcbnjpn.dll
runner.dll
EQMini.dll

Then reboot to normal mode and do a panda online AV scan here:

http://www.pandasoftware.com/products/activescan

When done , please post the Panda log and a new hjt log.

davesmith20 · 05-13-2006

Thanks for your help Joe i completed everything you told me to do and it definitely helped i am posting the panda logs and hjt logs here Thanks Dave

Activescan.txt

hijackthis.log

joe5 · 05-14-2006

Looking very good

, youre hjt log is clean now but still a bunch of files to delete:

Download Pocket Killbox:
http://www.atribune.org/downloads/KillBox.exe

Start Killbox and place a tick next to [x]delete on reboot.
And press the "all files" button. (just above the yellow triangle)

Copy this list into the windows clipboard:

C:\WINDOWS\system\QBUninstaller.exe
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\inf\biD.inf
C:\WINDOWS\inf\CC_43.inf
C:\WINDOWS\inf\CC_43.PNF
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\system32\InstallerV4.exe
C:\WINDOWS\rgrt.exe
C:\WINDOWS\Fiqrumpjz.puy\rk1.exe
C:\WINDOWS\eliteunstall.exe
C:\WINDOWS\rk.exe
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
C:\WINDOWS\system32\EQMini.dll
C:\WINDOWS\system32\InstallerV3.exe
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\drivers\dfdr.sys
C:\WINDOWS\system32\drivers\etc\hosts.bho

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.

Exit Killbox and restart your PC.

Are you still having any problems with youre pc?

davesmith20 · 05-18-2006

Sorry it took so long to get back with you. Yes i am still having problems. First i was trying to post the list to windows clipboard, but i cannot find it, and i am not sure how to do it. The second i have lost Yahoo Messenger and i cant get it back. I un-installed it and tried to re-install but it wont do anything not even create a shortcut. Now i am in trouble wit my wife lol Hope you can help

Thanks Dave

05-11-2006	#1
davesmith20 Bronze Member Join Date: May 2006 Posts: 10	[Fixed] spyware problems Hello, I hope you can help me i think i have 2 issues the first is that everytime i log in to XP i get a message that states C:\WINDOWS\cfmgr52.dll . I am also getting all kind of pop ups that i cannot get rid of. I am attaching my ewido logfiles and my hijackthis logfiles. Thanks DaveScan report_20060511.txt.txt hijackthis.log

05-11-2006	#2
btalman Elite Member Join Date: Nov 2005 Posts: 499	Hi dave and welcome to PCHF, Please follow the prework and post the hijackthislog in the hijackthis section of the site where an expert will help you asap Good luck, Bram __________________

05-12-2006	#3
davesmith20 Bronze Member Join Date: May 2006 Posts: 10	spyware problems Thank you for your response i have completed everything in the prework section. I will post my hijackthis logfiles here. Thanks Dave hijackthis.log Scan report_20060511.txt.txt

05-12-2006	#4
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,021	@BT , looks like he had already done the Prework. @Dave , ouch , youre pc must be running pretty slow i think? You have lots of malware on there. First run ewido again and let it fix what it finds this time. Then download and run this tool: http://securityresponse.symantec.com...r/FxIstbar.exe After that look for any of these in add/remove programs , and uninstall them if present: Nick Aracde SafeSurfing Xupiter OrbitExplorer toolbar Orbit AdTools Service Target Saver SpyBlast EQBranch virtualbouncer FullContext Then boot youre pc in safemode. Click Start>Run and type in: services.msc Click OK In the Services window find: Windows Overlay Components Select/highlight and right click the entry, and choose: Properties On the General tab, under Service Status click the Stop button Beside: Startup Type, in the drop menu, select: Disabled Click Apply, then OK Open HJT and click config > misc tools > “delete an NT service” Copy and past: Windows Overlay Components Click OK. After that fix these with hjt: (if still present) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: (no name) - {D776F591-6DEA-12DA-467A-266D71416CAB} - C:\WINDOWS\rhtmzoxz.dll (file missing) O2 - BHO: NICKARCADE - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing) O2 - BHO: (no name) - {5F018A10-44D4-9F7C-96C3-1BCCCEEF6149} - C:\WINDOWS\rhtmzoxz.dll (file missing) O2 - BHO: (no name) - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - (no file) O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll (file missing) O3 - Toolbar: NICKARCADE - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing) O3 - Toolbar: Search - {B6081F4A-8A1A-9613-0116-85E112417F43} - C:\WINDOWS\rhtmzoxz.dll (file missing) O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe O4 - HKLM\..\Run: [windows] xax.exe O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Lora\LOCALS~1\Temp\342x43.exe O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe O4 - HKLM\..\Run: [f¸ï0+¿ðÇà_-8àaöž–C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jqqwe.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe O4 - HKLM\..\Run: [uqeeguy] C:\WINDOWS\uqeeguy.exe O4 - HKLM\..\Run: [ekfxkdl] C:\WINDOWS\ekfxkdl.exe O4 - HKLM\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe O4 - HKLM\..\Run: [{B7-7F-F6-62-ZN}] C:\windows\system32\rrdsregn.exe FI002 O4 - HKLM\..\RunServices: [windows] xax.exe O4 - HKCU\..\Run: [SpyBlast] C:\Program Files\SpyBlast\SpyBlast.exe /autorun O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe" O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe" O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot O4 - Startup: PowerReg Scheduler.exe O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinssag.exe O4 - Startup: Z_Start.lnk = C:\WINDOWS\ZIFI002.exe O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';} O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file) O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do...bridge-c46.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...WBInitialSetup 1.0.0.15.cab O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll O20 - AppInit_DLLs: jkcbnjpn.dll,Runner.dll,EQMini.dll O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\aoadouz.exe (file missing) And then manually delete the files in bold. Also do a search for these files and delete them aswell: xax.exe jkcbnjpn.dll runner.dll EQMini.dll Then reboot to normal mode and do a panda online AV scan here: http://www.pandasoftware.com/products/activescan When done , please post the Panda log and a new hjt log. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

05-13-2006	#5
davesmith20 Bronze Member Join Date: May 2006 Posts: 10	spyware problems Thanks for your help Joe i completed everything you told me to do and it definitely helped i am posting the panda logs and hjt logs here Thanks Dave Activescan.txt hijackthis.log

05-14-2006	#6
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,021	Looking very good , youre hjt log is clean now but still a bunch of files to delete: Download Pocket Killbox: http://www.atribune.org/downloads/KillBox.exe Start Killbox and place a tick next to [x]delete on reboot. And press the "all files" button. (just above the yellow triangle) Copy this list into the windows clipboard: C:\WINDOWS\system\QBUninstaller.exe C:\WINDOWS\inf\biini.inf C:\WINDOWS\inf\biD.inf C:\WINDOWS\inf\CC_43.inf C:\WINDOWS\inf\CC_43.PNF C:\WINDOWS\system32\tpuninstall.exe C:\WINDOWS\system32\InstallerV4.exe C:\WINDOWS\rgrt.exe C:\WINDOWS\Fiqrumpjz.puy\rk1.exe C:\WINDOWS\eliteunstall.exe C:\WINDOWS\rk.exe C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe C:\WINDOWS\system32\EQMini.dll C:\WINDOWS\system32\InstallerV3.exe C:\WINDOWS\system32\instsrv.exe C:\WINDOWS\system32\drivers\dfdr.sys C:\WINDOWS\system32\drivers\etc\hosts.bho Back in Killbox go > file > paste from clipboard, Click the red highlighted X button and say yes to the prompt, then click OK. Exit Killbox and restart your PC. Are you still having any problems with youre pc? __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

05-18-2006	#7
davesmith20 Bronze Member Join Date: May 2006 Posts: 10	spyware problems Sorry it took so long to get back with you. Yes i am still having problems. First i was trying to post the list to windows clipboard, but i cannot find it, and i am not sure how to do it. The second i have lost Yahoo Messenger and i cant get it back. I un-installed it and tried to re-install but it wont do anything not even create a shortcut. Now i am in trouble wit my wife lol Hope you can help Thanks Dave

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode