WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Pc Slow And Trojan Discovered

Started by hud , Apr 10 2007 09:12 PM

This topic is locked

13 replies to this topic

#1 hud

New Member

New Member
8 posts

Posted 10 April 2007 - 09:12 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:04:20 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\bak\ybrwicon.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Network Associates\VirusScan\mcconsol.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Documents and Settings\Ralph Hudnall\Desktop\HijackThis.exe
C:\WINDOWS\system32\regsvr32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {850C7964-9320-4055-BE11-7D7B562A6417} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: SensLogon - C:\WINDOWS\SYSTEM32\helper.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmFscGggSHVkbmFsbA\command.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Advertisements

Register to Remove

#2 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 12 April 2007 - 04:38 AM

hi Hud,

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:

Perform all actions in the order given.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Stick with it till you're given the all clear.
Remember, absence of symptoms does not mean the infection is all gone.

If you can do these things, everything should go smoothly.

Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

You are currently running HijackThis direct from your Desktop C:\Documents and Settings\Ralph Hudnall\Desktop\HijackThis.exe

Hijack this needs a permanent folder to store backups in. Please make a folder HJT on your Desktop and place HijackThis.exe in that folder.

DO NOT follow the steps below until you have moved HijackThis.

Download AVG Anti-Spyware.

Install AVG Anti-Spyware.
Launch AVG by double-clicking on the icon.
The program will now open to the main screen.
You will need to update AVG to the latest definition files.
At the top of the main screen click Update.
Then in the Manual Update section, click on Start Update.

[*]The update will start and a progress bar will show the updates being installed.
[*]When updates are completed, close AVG.
[*]Do not run a scan with AVG yet.
[/list]If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates

We need to remove a service.

Click Start > Run now type sc stop cmdService click OK.
Click Start > Run now type sc delete cmdService click OK.

Note: There is a space between sc and stop/delete, and a space between stop/delete and cmdService.

Now run a scan with HJT and check the following entries (if found).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...#46;//www.yahoo
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O2 - BHO: (no name) - {850C7964-9320-4055-BE11-7D7B562A6417} - (no file)

O20 - Winlogon Notify: SensLogon - C:\WINDOWS\SYSTEM32\helper.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UmFscGggSHVkbmFsbA\command.exe (file missing)

Now close all open windows and click Fix Checked to remove them.

Make sure that you can see hidden files and folders.

Click Start.
Click My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Uncheck Hide protected operating system files a pop up will appear, answer Yes
Click OK.

Reboot your computer in Safe Mode

If your computer is running, shut down Windows, then turn the power off.
Wait 30 seconds, then turn the computer on, and begin tapping the F8 key.
The Windows Advanced Options Menu appears. (If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again).
Select Safe Mode using the up/down arrow keys.
Press Enter.
Log on with an account that has administrator priviledges (NOT the account named Administrator).

Now delete the following file and folder (in bold).

C:\WINDOWS\SYSTEM32\helper.dll <--- this file

C:\WINDOWS\UmFscGggSHVkbmFsbA <--- this folder

Reboot into Normal Mode

Run a scan with AVG.

Click on Scanner
- Click on the Settings tab, and set the following settings.
  - How to act
  - Click on Recommended actions, and set to Quarantine.
- How to scan
  - Check all options.
- Possibly unwanted software.
  - Check all options.
- Reports
  - Check Automatically generate report after every scan.
  - Uncheck Only if threats were found.
- What to scan
  - Check Scan every file.
Click on the Scan tab.
- Click on Complete System Scan and the scan will begin.
- When the scan has finished
- Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
- At the bottom of the window click on the Apply all Actions button.

Note: Don't save the report before you hit the Apply action button.

Close AVG Anti-Spyware.

AVG will save a report in the following location C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Send me the AVG log, along with a new HJT log please.

Edited by Gary R, 12 April 2007 - 04:54 AM.

#3 hud

New Member

New Member
8 posts

Posted 14 April 2007 - 12:32 PM

Hi Gary R., Thank you for looking into my issue. I have completed the path you provided and went into 'Safe Mode" but was unable to delete file "helper.dll". Rec'd message " Access Denied" ....file may be full, Write Protected, or In Use. I thought that in SafeMode mode, dll files weren't used. Thanks, hud

#4 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 14 April 2007 - 02:00 PM

OK no problem, continue with the rest of the fix and send me the logs I requested. Usually processes aren't running in Safe Mode and it's possible to remove the file, however some Malware files are active in Safe Mode as well. There's other ways to remove the file and we'll try those once I can see what else may need to be done.

#5 hud

New Member

New Member
8 posts

Posted 16 April 2007 - 03:11 PM

Hi Gary R., I ran the AVG Scan and during the quarantine process, I received this error message: "The file :C:\Documents and Settings\my name\Local settings\Temp\E8C1DA.tmp/hauc.exe cannot be quarantined because it is embedded in the archive C:\Documents and Settings\my name\Local Settings\Temp\E8C1DA.tmp. Do you want to quarantine the whole archive?" Yes Yes, for All No No, for All. I also rec'd an error message " regsvr32.exe - application error". Application failed to init properly (0xC0000142) click OK to terminate the app." Thanks, hud

#6 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 16 April 2007 - 03:43 PM

OK, just send me a new HJT log and let's see what needs to be attended to. If you've got a log from AVG send that as well, if not no problem.

#7 hud

New Member

New Member
8 posts

Posted 19 April 2007 - 06:05 AM

Good day Gary R.,
Here is the HJT after the AVG scan. I was unable to retreive that log, but I will keep trying....just so that I can see what it shows.

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 6:28:20 PM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\browser\bak\ybrwicon.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\RALPHH~1\LOCALS~1\Temp191oKLUa.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Documents and Settings\Ralph Hudnall\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 – BHO: Helper Class - {850C7964-9320-4055-BE11-7D7B562A6417} – C:\WINDOWS
\system32\helper.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\avgas.exe” /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: SensLogon - C:\WINDOWS\SYSTEM32\helper.dll
O23 - Service: AVG Anti-Spyware Guard – Anti-Malware Development a.s. – C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#8 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 19 April 2007 - 07:36 AM

Hi hud,

Download combofix.exe by sUBs
Alternate Download
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply please, along with a new HJT log.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#9 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 26 April 2007 - 01:33 AM

Do you still need help with your computer? If so please post the logs asked for in my last post please.

#10 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 27 April 2007 - 01:10 AM

Due to a lack of a response this topic is now closed.

If you wish it reopened, please send us an email with a link to your thread.

Don't bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R

#11 hud

New Member

New Member
8 posts

Posted 01 May 2007 - 07:51 PM

Good day Gary R.,
PC so slow. I'm just now able to get access to pull down 'topic info' from your posts. I was unable to copy the hjt's so I had to manually copy them to a word doc and then post to id.
Here is the combofix and HJT you requested:

05-02-21 15:46	  12	--a------	C:\Qoobox\Quarantine\C\Program Files\TheSearchAccelerator\toolbar.cfg.vir
05-02-21 15:46	  1406	--a------	C:\Qoobox\Quarantine\C\Program Files\TheSearchAccelerator\logo.ico.vir
05-06-09 13:01	  1405	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\readme.txt.vir
06-02-22 16:46	  8197	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\license.txt.vir
06-06-09 10:06	  16929	--a------	C:\Qoobox\Quarantine\C\Program Files\Cowabanga\License.txt.vir
06-07-19 10:35	  307200	--a------	C:\Qoobox\Quarantine\C\Program Files\System Files\System.exe.vir
06-07-20 16:31	  1163264	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wfxqhv.exe.vir
06-07-21 22:17	  1	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vx.tll.vir
06-07-21 22:17	  100	--a------	C:\Qoobox\Quarantine\C\Program Files\BraveSentry\BraveSentry.lic.vir
06-07-21 22:17	  1513009	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\RALPHH~1\APPLIC~1\Install.dat.vir
06-07-21 22:18	  16	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\dlh9jkdq8.exe.vir
06-07-21 22:18	  4	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\winsub.xml.vir
06-07-21 22:18	  61	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\svcp.csv.vir
06-07-23 09:15	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\1.txt.vir
06-07-23 09:15	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\2.txt.vir
06-08-08 09:56	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\keyboard1.dat.vir
06-08-08 09:56	  221184	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\xeymi.dll.vir
06-08-08 09:56	  36864	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\n9nyb.exe.vir
06-08-08 09:56	  865275	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pixk5gp2.phy.vir
06-08-08 09:58	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\newname.dat.vir
06-08-08 09:58	  10551	--a------	C:\Qoobox\Quarantine\C\Program Files\TheSearchAccelerator\INSTALL.LOG.vir
06-08-08 09:58	  22486	--a------	C:\Qoobox\Quarantine\C\Program Files\System Icons\439.ico.vir
06-08-08 09:58	  22486	--a------	C:\Qoobox\Quarantine\C\Program Files\System Icons\440.ico.vir
06-08-08 09:58	  22486	--a------	C:\Qoobox\Quarantine\C\Program Files\System Icons\441.ico.vir
06-08-08 10:01	  14	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\NETWOR~1\APPLIC~1\NetMon\domains.txt.vir
06-08-08 10:01	  248	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\NETWOR~1\APPLIC~1\NetMon\log.txt.vir
06-08-08 18:57	  211	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\whAgent.ini.vir
06-08-12 15:34	  28672	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32bez6n4r21.exe.vir
06-08-12 15:34	  36864	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32n9nyb.exe.vir
06-08-12 15:34	  45056	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32ghynf.exe.vir
06-08-12 15:35	  28672	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\iqqr.exe.vir
06-08-12 16:52	  28672	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\bez6n4r21.exe.vir
06-08-12 22:45	  1841	--a------	C:\Qoobox\Quarantine\C\Program Files\TheSearchAccelerator\TBlogin.users.ucmore.com.4.5.40.0.vir
06-08-12 23:55	  14	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\domains.txt.vir
06-08-12 23:55	  77102	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\log.txt.vir
06-08-14 17:13	  295910	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll.tmp.vir
06-11-28 22:36	  732801	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\RALPHH~1\APPLIC~1\Sskknwrd.dll.vir
06-11-29 22:53	  113	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\RALPHH~1\APPLIC~1\Sskdmns.dll.vir
06-11-29 23:01	  28	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\RALPHH~1\APPLIC~1\Sskcwrd.dll.vir
07-04-30 20:44	  2830	--a------	C:\Qoobox\Quarantine\Registry_backups\services_Network Monitor.reg.cf
07-04-30 20:44	  870	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
99-12-23 14:12	  11264	--a------	C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\sporder.dll.vir


Folder PATH listing
Volume serial number is 84ED-2974
C:\QOOBOX
\---Quarantine
	+---C
	|   +---DOCUME~1
	|   |   +---LOCALS~1
	|   |   |   \---APPLIC~1
	|   |   |	   \---NetMon
	|   |   |			   domains.txt.vir
	|   |   |			   log.txt.vir
	|   |   |			   
	|   |   +---NETWOR~1
	|   |   |   \---APPLIC~1
	|   |   |	   \---NetMon
	|   |   |			   domains.txt.vir
	|   |   |			   log.txt.vir
	|   |   |			   
	|   |   \---RALPHH~1
	|   |	   \---APPLIC~1
	|   |			   Install.dat.vir
	|   |			   Sskcwrd.dll.vir
	|   |			   Sskdmns.dll.vir
	|   |			   Sskknwrd.dll.vir
	|   |			   
	|   +---Program Files
	|   |   +---BraveSentry
	|   |   |	   BraveSentry.lic.vir
	|   |   |	   
	|   |   +---Cowabanga
	|   |   |	   License.txt.vir
	|   |   |	   
	|   |   +---System Files
	|   |   |	   System.exe.vir
	|   |   |	   
	|   |   +---System Icons
	|   |   |	   439.ico.vir
	|   |   |	   440.ico.vir
	|   |   |	   441.ico.vir
	|   |   |	   
	|   |   +---TheSearchAccelerator
	|   |   |	   INSTALL.LOG.vir
	|   |   |	   logo.ico.vir
	|   |   |	   TBlogin.users.ucmore.com.4.5.40.0.vir
	|   |   |	   toolbar.cfg.vir
	|   |   |	   
	|   |   \---webHancer
	|   |	   \---Programs
	|   |			   license.txt.vir
	|   |			   readme.txt.vir
	|   |			   sporder.dll.vir
	|   |			   whAgent.ini.vir
	|   |			   
	|   \---WINDOWS
	|	   |   keyboard1.dat.vir
	|	   |   newname.dat.vir
	|	   |   system32bez6n4r21.exe.vir
	|	   |   system32ghynf.exe.vir
	|	   |   system32n9nyb.exe.vir
	|	   |   
	|	   \---system32
	|			   1.txt.vir
	|			   2.txt.vir
	|			   atmtd.dll.tmp.vir
	|			   bez6n4r21.exe.vir
	|			   dlh9jkdq8.exe.vir
	|			   iqqr.exe.vir
	|			   n9nyb.exe.vir
	|			   pixk5gp2.phy.vir
	|			   svcp.csv.vir
	|			   vx.tll.vir
	|			   wfxqhv.exe.vir
	|			   winsub.xml.vir
	|			   xeymi.dll.vir
	|			   
	\---Registry_backups
			LEGACY_NETWORK_MONITOR.reg.cf
			services_Network Monitor.reg.cf

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 9:03:13 PM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ralph Hudnall\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\regsvr32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {850C7964-9320-4055-BE11-7D7B562A6417} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: SensLogon - C:\WINDOWS\SYSTEM32\helper.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#12 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 01 May 2007 - 08:33 PM

This topic has been reopened by request of the starter of this topic. Or it has been moved to the correct forum

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#13 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 02 May 2007 - 07:48 AM

Hi Hud,

Download Pocket Killbox and install it to your Desktop. Do not run it yet.

First copy the filepaths in the box below to your clipboard, by highlighting them and pressing Ctrl+C.

C:\WINDOWS\SYSTEM32\helper.dll

Open Killbox and check a mark in the "RadioBox" which says Delete On Reboot
Click File > Paste from Clipboard.
Click All Files button.
Click on the Red button with a Cross, and answer Yes when prompted to Backup and Delete the pasted files.
Answer Yes when prompted to Reboot now.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, download and run missingfilesetup.exe. Then try Killbox again.

Click Start > Run and type cleanmgr then click OK.
This will bring up the Disk Cleanup window.
Check the following entries.
- Temporary Internet Files.
- Recycle Bin.
- Temporary Files.
Click OK.
When a prompt pops up click Yes.

Go to Control Panel > Add/Remove Programs and uninstall any of these (if found):

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
and any other programs you didn't install or don't recognize - if you're not sure please ask first.

Download and run OiUninstaller.exe

Tutorial for the uninstaller if needed

Now install MVPS HOSTS:

Create a new folder somewhere you can find it, and name it Hosts.

Download and unzip hosts.zip to that folder.

Open up the Hosts folder and double-click on the mvps.bat file, it will rename your present HOSTS file to HOSTS.MVP, then it will copy the new HOSTS file to the correct location on your machine. It happens very quickly so don't blink!

You're done with this step.

Next....

Run a scan with HJT and check the following items.

O2 - BHO: (no name) - {850C7964-9320-4055-BE11-7D7B562A6417} - (no file)
O20 - Winlogon Notify: SensLogon - C:\WINDOWS\SYSTEM32\helper.dll

Now close all open windows and click Fix Checked to remove them.

Reboot your computer please..

Please download SmitfraudFix (by S!Ri) and extract it to your Desktop. (Do not run it yet)

Now run SmitfraudFix.

- Open the SmitfraudFix folder and double-click smitfraudfix.cmd
- Select option #1 - Search by typing 1 and press Enter (a text file will appear, which lists infected files if present).
- Please copy/paste the content of that report into your next reply.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Edited by Gary R, 02 May 2007 - 07:54 AM.

#14 Gary R

MRU Administrator

MRU Teachers
1,510 posts

Posted 09 May 2007 - 02:09 AM

Body Background

skin color theme