[Closed] Antivirus 2008 amoung others (pop-up windows)

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Closed] Antivirus 2008 amoung others (pop-up windows), HJT log

Options

Rhineus View Member Profile	Jul 31 2008, 12:37 AM Post #1
New Member Group: New Member Posts: 1 Joined: 27-October 07 Member No.: 73,804 Operating System: Win2kpro	Hello, I'm helping my dad's friend with his computer and he is mexican, so theres some toolbars and some other things that I cant understand. So I have no idea whats on this computer but I do know that it has many pop-up windows. I'm posting a HJT log... Thx :-) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:30:42 AM, on 7/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\LEXBCES.EXE C:\WINDOWS\SYSTEM32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\TWV4aWNv\command.exe C:\WINDOWS\system32\vlgcodvn.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\WINDOWS\mrofinu1188.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\WINDOWS\system32\service.exe C:\WINDOWS\System32\Rundll32.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Insider\Insider.exe C:\WINDOWS\DOBE~1\spool32.exe C:\Documents and Settings\user\Application Data\WinTouch\WinTouch.exe C:\Documents and Settings\user\Application Data\Microsoft\Windows\uahgrgu.exe C:\Program Files\Router\Router.exe C:\Program Files\Words\Words.exe C:\Program Files\Dot1XCfg\Dot1XCfg.exe C:\Program Files\?icrosoft.NET\?pool32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\dllhost.exe C:\WINDOWS\System32\msdtc.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whatthetech.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\fjlyeisx.dll (file missing) O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF 968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47 O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [{0c2a2176-63dd-9c18-bccf-f380a5195b69}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\tifdvplzezs.dll" DllStart O4 - HKLM\..\Run: [e87132ec] rundll32.exe "C:\WINDOWS\system32\xjvnrnkn.dll",b O4 - HKLM\..\Run: [BMeb420170] Rundll32.exe "C:\WINDOWS\system32\dhvrpkvd.dll",s O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe O4 - HKCU\..\Run: [Nant] "C:\WINDOWS\DOBE~1\spool32.exe" -vt yazb O4 - HKCU\..\Run: [Yfokmt] "C:\Program Files\Common Files\F?nts\?hkdsk.exe" O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\user\Application Data\WinTouch\WinTouch.exe O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\user\Application Data\Microsoft\Windows\uahgrgu.exe O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe O4 - HKCU\..\Run: [Muhhe] C:\WINDOWS\system32\?icrosoft\??plorer.exe O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe O4 - HKCU\..\Run: [Tngiijiv] "C:\Program Files\Common Files\?ymantec\w?nword.exe" O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe O4 - HKCU\..\Run: [Bafsl] "C:\Documents and Settings\user\Application Data\?racle\s?rvices.exe" O4 - HKCU\..\Run: [Cjyxpjn] C:\WINDOWS\??stem\r?ndll32.exe O4 - HKCU\..\Run: [Cssgt] "C:\Program Files\Common Files\?racle\w?auboot.exe" O4 - HKCU\..\Run: [Zxcdkbi] "C:\Program Files\Common Files\??mantec\w?auclt.exe" O4 - HKCU\..\Run: [Mtuewww] "C:\Documents and Settings\user\Application Data\?dobe\r?gedit.exe" O4 - HKCU\..\Run: [Kyvh] "C:\Program Files\?icrosoft.NET\?pool32.exe" O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [SpyWatchE] C:\Program Files\SpyWatchE\SpyWatchE.exe O4 - HKCU\..\Run: [rkqm] C:\PROGRA~1\COMMON~1\rkqm\rkqmm.exe O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user') O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?fdf7a4190ddd415389fb4c31d14a1505 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?fdf7a4190ddd415389fb4c31d14a1505 O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.33/g_bin/eng/billard8_2_0_0_35.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.33/g_bin/eng/snooker_2_0_0_35.cab O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWV4aWNv\command.exe O23 - Service: DomainService - - C:\WINDOWS\system32\vlgcodvn.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\SYSTEM32\LEXBCES.EXE O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\prohdyhde.html O24 - Desktop Component 1: (no name) - C:\Program Files\WindowsUpdate\prohdyhde.html -- End of file - 9203 bytes

Rorschach112 View Member Profile	Jul 31 2008, 06:06 AM Post #2
SuperMember Group: Visiting Teacher Posts: 1,405 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello Please visit this web page for instructions for downloading and running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Rorschach112 View Member Profile	Aug 3 2008, 04:16 PM Post #3
SuperMember Group: Visiting Teacher Posts: 1,405 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

« Next Oldest · HijackThis™ Logs and Infections Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
XP Antivirus 2008 - Anatomy of a malware SCAM	3	AplusWebMaster	58	9 minutes ago Last post by: AplusWebMaster
Can not find script file "C:\windows\system32\boot	0	kannu	4	Today, 01:51 AM Last post by: kannu
[Resolved] VIRUS ALERT! -- HijackThis log	12	anisbet	76	Yesterday, 11:48 PM Last post by: Tomk
Need help ! Windows cannot find "C:/Documents" & &	0	Jose0220	1	Yesterday, 11:44 PM Last post by: Jose0220
[Resolved] Outerinfo 123	37	lollypop	220	Yesterday, 05:40 PM Last post by: Rorschach112