Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: What's This?

  1. #11
    dopey

    ok, I have run spybot again. It still will not let me update nor will it let me switch servers. I ran hijack this again and have a new log. It's still rather large. The computer is running much better but a long way from perfect. I still have not discovered what this MKgvarfc.exe is. I've mad several searches on google and no luck. The winh.exe is still there spybot and adaware both don't seem to see it so I suppose I should remove it manually. I though that spybot had taken care of winkmmy.exe but I'm not so certain. I received a message earlier today that winkmmy.exe had performed an illegal operation, etc so it may still be there. What would you advise next?


    Logfile of HijackThis v1.97.7
    Scan saved at 12:10:10 PM, on 3/16/04
    Platform: Windows 95 B (Win9x 4.00.1212)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\azexe.exe
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\LXDBOXCP.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\SYSTEM\LOADWC.EXE
    C:\WINDOWS\SYSTEM\ELEGANT TECH\INFO-GUARDIAN\INFOGUARD.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\MSREXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\UNZIPPED\HJT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpages.com/svc/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.pcpages.com/svc/index.html
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F1 - win.ini: run=lxdboxcp.exe
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {baf6dcf8-7c5f-476b-ae4a-79f05b783a83} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {DB044C3D-979A-A17C-120F-BAFEE81BE095} - C:\windows\system\vkwtbdmr.dll
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
    O2 - BHO: (no name) - {32BBB93F-1E01-9DAB-E404-F3A72E7C0F08} - C:\windows\system\osnnvlrg.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
    O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
    O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
    O4 - HKLM\..\Run: [Msdapp] C:\WINDOWS\SYSTEM\Elegant Tech\Info-Guardian\infoguard.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [kxybwpjv] C:\WINDOWS\SYSTEM\kxybwpjv.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
    O4 - HKLM\..\Run: [Winkmmy] C:\WINDOWS\SYSTEM\Winkmmy.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
    O4 - HKLM\..\Run: [fovrdtwi] C:\WINDOWS\mkgvarfc.exe
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
    O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
    O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
    O4 - HKLM\..\Run: [Winkmdd] C:\WINDOWS\SYSTEM\Winkmdd.exe
    O4 - HKLM\..\RunServices: [azmodem] WINMODEM.101\azexe.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - WWW. Prefix: http://
    O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab2.dll
    O16 - DPF: Yahoo! Euchre - http://download.yahoo.com/games/clients/y/er1_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab
    O16 - DPF: ChatSpace Java Client 2.1.0.84N - http://about.chatspace.com/Java/cs4msn084.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab
    O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/adx/PopLoad.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
    O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab

  2. Software & Hardware   -   #12
    Should I go ahead and remove these manually? Also, I've heard or read that when you remove these and edit the registry you do so while the computer is running in safe mode. Is this true?

  3. Software & Hardware   -   #13
    Poster
    Join Date
    Jun 2003
    Posts
    126
    Hi,
    well, first you should fix them with hijack this.

    rescan and check the following items:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpages.com/svc/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.pcpages.com/svc/index.html

    R3 - Default URLSearchHook is missing

    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com

    O2 - BHO: (no name) - {baf6dcf8-7c5f-476b-ae4a-79f05b783a83} - (no file)
    O2 - BHO: (no name) - {DB044C3D-979A-A17C-120F-BAFEE81BE095} - C:\windows\system\vkwtbdmr.dll
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
    O2 - BHO: (no name) - {32BBB93F-1E01-9DAB-E404-F3A72E7C0F08} - C:\windows\system\osnnvlrg.dll

    O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)

    O4 - HKLM\..\Run: [kxybwpjv] C:\WINDOWS\SYSTEM\kxybwpjv.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
    O4 - HKLM\..\Run: [Winkmmy] C:\WINDOWS\SYSTEM\Winkmmy.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
    O4 - HKLM\..\Run: [fovrdtwi] C:\WINDOWS\mkgvarfc.exe
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
    O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
    O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
    O4 - HKLM\..\Run: [Winkmdd] C:\WINDOWS\SYSTEM\Winkmdd.exe

    O13 - WWW. Prefix: http://

    O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/adx/PopLoad.cab
    O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab

    close all browser windows and hit fix checked. Reboot in safe mode (hit f8 during start) and delete the following:
    C:\WINDOWS\SYSTEM\kxybwpjv.exe
    C:\WINDOWS\SYSTEM\stcloader.exe
    C:\WINDOWS\SYSTEM\Winkmmy.exe
    C:\WINDOWS\SYSTEM\MSREXE.EXE
    C:\WINDOWS\mkgvarfc.exe

    C:&#092;PROGRAM FILES&#092;WINFAVORITES <----- folder

    check to see if common name winnet is listed in the control panel&#39;s add/remove programs. Use that to uninstall, if not, delete the
    C:&#092;PROGRAM FILES&#092;COMMONNAME <---- folder

    try one of these online virus scans:
    http://housecall.trendmicro.com/hous...start_corp.asp
    http://www3.ca.com/virusinfo/virusscan.aspx

    Reboot and post a new log if you still have problems.

  4. Software & Hardware   -   #14
    Thanks dopey, I&#39;ll try that tonight or tomorrow. The housecall anti virus you posted I have used before and it always worked well. Tried it a few days ago and as soon as it started loading the web page turned off.

    I&#39;ll let you know how it works out. Thanks

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •