evil little Virus

Alright im completely new to viruses and all that good stuff. Norton says the virus is called W32.DesktopHijack and everytime i delete the trojans they come back ( i think) Alright ive tried all of the steps in the stickied thread and it deleted a few things but most of them stayed. I have Hijack this if you need log. There are annoying pop ups and im sorry but i have no idea what im doing about these things. And ive been dealing with this thing for a good 2 weeks now. I think you guys are my only hope!

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here is my HJT Log and sorry it took so long i was at a friends house.

 

First, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments.

 

ok here are two attachments and im about to boot into safe mode to get the third. i would like to thank you again for helping me with my problem.

 

Ok im in safe mode now and i got the log.

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\HAQASVC.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\BJADJ.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\LDSFDHF.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\CONRES.cpl into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\DATADX.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tnad.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\ojnajb.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and attach a fresh HJT log!

 

Alright heres my HJT log.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - Default URLSearchHook is missing

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll

O3 - Toolbar: Date Bar - {A833AB67-7368-457E-B8BF-249CCD8DDD14} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dbar.dll (file missing)

O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ojnajb.exe reg_run
O4 - HKLM\..\Run: [ypmfenc] C:\WINDOWS\ypmfenc.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Sysnet] C:\Program Files\epicenter\sysnet.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{01E19935-FE91-43A8-9B70-EF9D90413F73}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{339FFB28-9517-4F0B-B17F-5CAEAC6512A9}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{8926D45E-1F1B-4B7C-9631-FD27ECA6E0B7}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{01E19935-FE91-43A8-9B70-EF9D90413F73}: NameServer = 195.95.218.1,85.255.112.7

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\epicenter ←–– Delete this whole folder if it exist!

C:\Program Files\PSGuard ←–– Delete this whole folder if it exist!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\cfgmgr52.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\ypmfenc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\intel32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\ojnajb.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\richedtr.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and get me 3 new logs from post #4 along with a fresh HJT log.

 

Ok here they are.

 

And the others.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following folders if they should remain:

C:\Program Files\Cas
C:\Program Files\CMAPP
C:\Program Files\Aprps
C:\Program Files\CasStub
C:\Program Files\PSGuard
C:\Program Files\Media Access
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\riur


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

C:\gendel32.exe

C:\WINDOWS\haioaatt.exe
C:\WINDOWS\rdt.ini
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\visfxun.exe
C:\WINDOWS\yvhfsvc.exe
C:\WINDOWS\weirdontheweb_topc.exe

C:\WINDOWS\system32\richup.exe
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\system32\yaemu.exe
C:\WINDOWS\system32\VVSNInst.exe
C:\WINDOWS\system32\vpuqp.dat
C:\WINDOWS\system32\richup.exe
C:\WINDOWS\system32\redtrsha.dll
C:\WINDOWS\system32\nszBA.dll
C:\WINDOWS\system32\InstallerV3.exe
C:\WINDOWS\system32\dmdec.exe

C:\Program Files\Windows Media Player\wmplayer.exe.tmp

C:\Documents and Settings\Administrator\Application Data\wo.tmp
C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll


After you complete the above, reboot back into normal mode and attach a fresh HJT log.

 

OK heres the HJT log.

 

Scan with HijackThis and Check the Boxes for the following:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

NEXT:
Run CCleaner to clean up cookies and temp files.


After you complete the above, your HJT log will be clean. Are you having any further problems?

 

I dont think so. Thank you so much. Norton still detects the virus though but it doesnt affect anything.

 

What exactly is it detecting?

Filename? File location? Virus name?