Win XP. I delete the entry from the run key in the registry and reboot and it's back in the registry under a different name (random letters, not words). What is this and how can I get rid of it?
Thanks
Thanks
Randomly named .exe's loading at startup
- Thread starter Doomer
- Start date
Virus/hijack/trojan.
Get off the internet and try to save yourself with a virus checker. Failing that, it's format time.
- M4H
Get off the internet and try to save yourself with a virus checker. Failing that, it's format time.
- M4H
when all the common sense preliminaries done (AV check, Hijackthis/Ad-Aware/...) you can download from www.sysinternals.com soft named Regmon.exe - it's free, doesnt need an installation and it follows all registry writes/reads/opens and logs it to a file which later you can search for the 'beast' and to know which program uses it.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Doomer, could you answer these questions to begin with:
- What brand and version of antivirus software do you have (example: "Norton Antivirus 2004")
- Do you have broadband
- Do you have a router
- Are there other computers sharing the router with yours
- Does your computer have Service Pack 2
- Do you have a software firewall on your computer
- Do any other people use your computer besides you
- Is WinXP System Restore enabled or disabled
- Post a Hijack This log.
- Make a folder C:\HJT
- Download Hijack This! (a Zip file) and save it in C:\HJT, then extract the hijackthis.exe executable to there, run it, and do a scan
- Click Save log and grab the text from the logfile and post it here for assessment
- Go to Control Panel > Performance & Maintenance > Administrative Tools > Services, and click Status to put all the Started services on the top of the stack. Slide open the names and descriptions enough that they're readable, like this pic, and post it somewhere so we can see what you've got running. Do two screenshots if you have to, in order to get all the Started ones.
Thanks mech,
This is my neighbor's computer, ha ha.
NAV 2004
Yes, DSL
Don't think so.
Nope
No, but I entend to install it as son as I get rid of this gremlin.
Nope
They have 2 kids. They done it. (so mama says0
I have SR disabled at present.
I'll DL Hijack this and post back.
btw: The computer is infested with VX2. I DL'd the VX2 plug in for Adaware and, strangely, Adaware see's it but the plug in doesn't.
This is my neighbor's computer, ha ha.
NAV 2004
Yes, DSL
Don't think so.
Nope
No, but I entend to install it as son as I get rid of this gremlin.
Nope
They have 2 kids. They done it. (so mama says0
I have SR disabled at present.
I'll DL Hijack this and post back.
btw: The computer is infested with VX2. I DL'd the VX2 plug in for Adaware and, strangely, Adaware see's it but the plug in doesn't.
Schadenfroh
Elite Member
- Mar 8, 2003
- 38,416
- 4
- 0
1. physically unplug the thing from the net
2. Follow instructions here
3. Post the HJT log from HJT V1.98
4. Follow the solution we give you
5. Download SP2, install it along with a freeware firewall, like sygate.
2. Follow instructions here
3. Post the HJT log from HJT V1.98
4. Follow the solution we give you
5. Download SP2, install it along with a freeware firewall, like sygate.
Here's the HighjackThis log :
Logfile of HijackThis v1.98.2
Scan saved at 8:49:03 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lykpgu.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wuauclt.exe
C:\aaa\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads..._WIN_IE_1/axofupld.cab
Logfile of HijackThis v1.98.2
Scan saved at 8:49:03 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lykpgu.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wuauclt.exe
C:\aaa\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads..._WIN_IE_1/axofupld.cab
There is no "Performance & services" In my control panel nor can I find a status button in the services section of computer administration.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
If Control Panel is in the "classic Windows" mode then there is no Performance & Maintenance, it would be straight Control Panel > Administrative Tools > Services. At any rate, what I was getting at was whether the malware has installed itself as a service, because if it did, disabling the service and stopping it can be helpful. You're in good hands with Schadenfroh, just follow his step-by-step and you'll beat it in the end. 
More suggestions here under the Ongoing prevention part. The Limited-class accounts are definitely called for here, with passwords on the Admin accounts to not only keep the kids out, but to prevent exploitation of the Admin powers by malware, which is pretty common judging by all the McAfee threat descriptions I read.
More suggestions here under the Ongoing prevention part. The Limited-class accounts are definitely called for here, with passwords on the Admin accounts to not only keep the kids out, but to prevent exploitation of the Admin powers by malware, which is pretty common judging by all the McAfee threat descriptions I read.
Another sysinternals app that's helpful here is process explorer. Use the tree mode to see what the parent process(es) is (are). But you'll need to follow the other advice too.
Schadenfroh
Elite Member
- Mar 8, 2003
- 38,416
- 4
- 0
Hello Doomer,
Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Download LSPfix and winsockfix (only use if your connection dies after these steps are completed.)
3. Disable system restore, malware can come back through it.
4. Reboot into safe mode.
5. Close all browsers/windows explorer.
fix the following in hijackthis(kill the process in process viewer, if its there)
Additional Steps
1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
[*]AIM Toobar (uninstall via add/remove programs, if present)
[*]Viewpoint Media (via add/remove programs)
3. Use lspfix to remove the following entry:
[*]aklsp.dll
4.Restart into normal windows
Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Download LSPfix and winsockfix (only use if your connection dies after these steps are completed.)
3. Disable system restore, malware can come back through it.
4. Reboot into safe mode.
5. Close all browsers/windows explorer.
fix the following in hijackthis(kill the process in process viewer, if its there)
- O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
- O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
- O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
- O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
- O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads..._WIN_IE_1/axofupld.cab
Additional Steps
1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
[*]AIM Toobar (uninstall via add/remove programs, if present)
[*]Viewpoint Media (via add/remove programs)
3. Use lspfix to remove the following entry:
[*]aklsp.dll
4.Restart into normal windows
Thanks guys, been fighting this thing all day. finally decided to nuke the HD and do a system restore. One thing that pissed me off to no end is the fact that this box (A Compaq, yuk) only has 128mb or ram. It runs dog slow and is very time consuming to troubleshoot with reboots.
Anyway, I've kept notes and downloaded all the goodies you guys have linked to and will keep them for my next encouter with this spyware from hell.
Thanks for all the help.
Anyway, I've kept notes and downloaded all the goodies you guys have linked to and will keep them for my next encouter with this spyware from hell.
Thanks for all the help.
Hmmm -- what you had wasn't as hard to clean as reformatting/reinstalling. Had you followed Schadenfroh's directions, your computer would've been clean in a matter of a few minutes without the headache of the reinstall...
Oh well.
Oh well.
Believe me, I tried. there were 2 files involved in this thing bqispn.dll and kypai.exe (sometimes kypaoi.exe). Both in the system32 directory. I googled both and came up with absolutely nothing. The only way I could delete them was from safe mode command prompt. Every time I'd reboot, they would come right back. Adaware said I had VX2. The Adaware VX2 plugin said my sustem was clean.
I fought this thing all day yesterday and part of the day before. I didn't give up easy but sometimes you have to nurse your pride and move on.
I fought this thing all day yesterday and part of the day before. I didn't give up easy but sometimes you have to nurse your pride and move on.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
Facebook
Twitter