WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Can I Please Get Hepl With My Log
Started by
redddogg
, May 04 2007 07:38 AM
-
This topic is locked
14 replies to this topic
#1
redddogg
-
- Authentic Member
-
- 11 posts
New Member
Posted 04 May 2007 - 07:38 AM
Register to Remove
#2
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 05 May 2007 - 06:49 AM
Hello and welcome to the forum
I see no protection at all on your PC
Click the HERE and Save, Install, Update and run a full scan.
Empty Recycle Bin
Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment
I see no protection at all on your PC
Click the HERE and Save, Install, Update and run a full scan.
Empty Recycle Bin
Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to 
for the help you received.
Proud graduate of TC/WTT Classroom
#3
redddogg
-
- Authentic Member
-
- 11 posts
New Member
Posted 05 May 2007 - 07:58 AM
I have Sytem Mechanic7 Pro on my system (trial) but when I try to run it it says im in safemode.
#4
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 05 May 2007 - 08:00 AM
Get the free anti-virus program I posted above and run the scan.
Reviews aren't very good.
http://www.amazon.co...o/dp/B000LJTH1I
Reviews aren't very good.
http://www.amazon.co...o/dp/B000LJTH1I
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#5
redddogg
-
- Authentic Member
-
- 11 posts
New Member
Posted 05 May 2007 - 11:19 AM
I did what u told me now I cannot get online with that pc now. I can ping but I think my browser got hijacked. AVG found 141 trojans and when I open firefox now I keep getting exe threats. Im gonna post my log when I can get online or figure out how to get it to another pc that can connect online.
#6
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 05 May 2007 - 11:24 AM
Your pc is badly infected.
Lets see if we can get the PC back on the internet. This file will fit on a floppy or thumb drive.
Get a copy of winsockxpfix.exe You just run it and
things should work OK after it reboots your system.
http://www.snapfiles...nsockxpfix.html
Lets see if we can get the PC back on the internet. This file will fit on a floppy or thumb drive.
Get a copy of winsockxpfix.exe You just run it and
things should work OK after it reboots your system.
http://www.snapfiles...nsockxpfix.html
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#7
redddogg
-
- Authentic Member
-
- 11 posts
New Member
Posted 05 May 2007 - 05:54 PM
FINALLY...thanks Im back on. Firefox kept asking for proxy localhost port 8182. This is my latest log:
Logfile of HijackThis v1.99.1
Scan saved at 6:48:22 PM, on 5/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {59d034cf-2a91-4e72-b9c5-039fde93ddd0} - C:\WINDOWS\system32\drmdex.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: drmdex - drmdex.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat
O21 - SSODL: rUlkqwytSf - {90A7CCF8-3A0D-6652-CA90-137091E9E94E} - C:\WINDOWS\System32\axks.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
#8
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 05 May 2007 - 06:07 PM
Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
I suggest you do this:
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.
Please do not delete anything unless instructed to.
Click Start > Run > and type in:
services.msc
Click OK.
In the services window find TCP and UDP Supp0rt
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.
Close all windows and browsers.
Open HijackThis
Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the files below to select it:
C:\WINDOWS\9129837.exe
C:\WINDOWS\System32\__c006EA13.dat
C:\WINDOWS\System32\axks.dll
C:\WINDOWS\System32\tccpip.exe
Click on the Back button to exit Process Manager
Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
O2 - BHO: (no name) - {59d034cf-2a91-4e72-b9c5-039fde93ddd0} - C:\WINDOWS\system32\drmdex.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: drmdex - drmdex.dll (file missing)
O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat
O21 - SSODL: rUlkqwytSf - {90A7CCF8-3A0D-6652-CA90-137091E9E94E} - C:\WINDOWS\System32\axks.dll (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
Close ALL windows and browsers except HijackThis and click "Fix checked"
Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)
It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.
Reboot and "copy/paste" a new HijackThis log file into this thread.
Also please describe how your computer behaves at the moment.
- Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
- Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
- Consider what other private information could possibly have been taken from your computer and take appropriate steps
I suggest you do this:
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.
Please do not delete anything unless instructed to.
Click Start > Run > and type in:
services.msc
Click OK.
In the services window find TCP and UDP Supp0rt
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.
Close all windows and browsers.
Open HijackThis
Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the files below to select it:
C:\WINDOWS\9129837.exe
C:\WINDOWS\System32\__c006EA13.dat
C:\WINDOWS\System32\axks.dll
C:\WINDOWS\System32\tccpip.exe
Click on the Back button to exit Process Manager
Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
O2 - BHO: (no name) - {59d034cf-2a91-4e72-b9c5-039fde93ddd0} - C:\WINDOWS\system32\drmdex.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: drmdex - drmdex.dll (file missing)
O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat
O21 - SSODL: rUlkqwytSf - {90A7CCF8-3A0D-6652-CA90-137091E9E94E} - C:\WINDOWS\System32\axks.dll (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
Close ALL windows and browsers except HijackThis and click "Fix checked"
Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)
It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.
Reboot and "copy/paste" a new HijackThis log file into this thread.
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#9
redddogg
-
- Authentic Member
-
- 11 posts
New Member
Posted 05 May 2007 - 06:45 PM
Im lost up to this point:
Click on Delete a File On Reboot
Click once on the files below to select it:
C:\WINDOWS\9129837.exe
C:\WINDOWS\System32\__c006EA13.dat
C:\WINDOWS\System32\axks.dll
C:\WINDOWS\System32\tccpip.exe
Click on the Back button to exit Process Manager
Once I click on Delete a file on Reboot the window pops up like if I was saving a file. I never got:
C:\WINDOWS\9129837.exe
C:\WINDOWS\System32\__c006EA13.dat
C:\WINDOWS\System32\axks.dll
C:\WINDOWS\System32\tccpip.exe
#10
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 05 May 2007 - 06:51 PM
Did you insert all the files? If so, just move on with the fix 
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#11
redddogg
-
- Authentic Member
-
- 11 posts
New Member
Posted 05 May 2007 - 07:38 PM
My log:
Logfile of HijackThis v1.99.1
Scan saved at 8:30:07 PM, on 5/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
The problems im having are. The pc will reboot itself 2 or 3 times when I first turn on then it says windows encountered a serious problem, Alot of popups, I noticed every 8 secs the hour glass (pointer) comes on for a half a sec. when I try to use firefox it keeps looking for localhost port 8182 everytime I clear it it comes back
#12
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 05 May 2007 - 07:43 PM
Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
On the desktop, doubleclick fix.reg and allow it to run. Let it merge.
Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat (file missing)
Close ALL windows and browsers except HijackThis and click "Fix checked"
Delete these Files if listed:
C:\WINDOWS\System32\__c006EA13.dat
Empty Recycle Bin
Restart your computer.
Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\__c006EA13]
On the desktop, doubleclick fix.reg and allow it to run. Let it merge.
Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat (file missing)
Close ALL windows and browsers except HijackThis and click "Fix checked"
Delete these Files if listed:
C:\WINDOWS\System32\__c006EA13.dat
Empty Recycle Bin
Restart your computer.
Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#13
redddogg
-
- Authentic Member
-
- 11 posts
New Member
Posted 05 May 2007 - 08:09 PM
My log
Logfile of HijackThis v1.99.1
Scan saved at 9:04:28 PM, on 5/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
Is there a reason why I have to keep clearing the proxy in firefox?
#14
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 06 May 2007 - 06:46 AM
I don't know, you may want to search in the Mozilla forums for any hint on that error code.
You can remove any programs I had you install. Use Add/Remove Programs to remove if listed there otherwise just delete them and empty recycle bin.
Log looks good
You need to create a new Clean restore point.
Note: This will remove all previous Restore Points
Turn off System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer, turn it back on.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
If you dont have any programs like these, I would recommend that you get them.
Spywareblaster,
Spywareguard.
Also get a FREE FIREWALL and FREE ANTI VIRUS if you need one.
Only run one Anti-Virus and Firewall program.
It is critical to have both a firewall and anti virus to protect your system.
Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.
Do not use Ad-aware if you have McAfee's VirusScan and AntiSpyware
Safe Surfing.
I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
You can remove any programs I had you install. Use Add/Remove Programs to remove if listed there otherwise just delete them and empty recycle bin.
Log looks good
You need to create a new Clean restore point.
Note: This will remove all previous Restore Points
Turn off System Restore:
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer, turn it back on.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
If you dont have any programs like these, I would recommend that you get them.
Spywareblaster,
Spywareguard.
Also get a FREE FIREWALL and FREE ANTI VIRUS if you need one.
Only run one Anti-Virus and Firewall program.
It is critical to have both a firewall and anti virus to protect your system.
Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.
Do not use Ad-aware if you have McAfee's VirusScan and AntiSpyware
Safe Surfing.
I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#15
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 07 May 2007 - 05:34 PM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Coyote's Installed programs for prevention:
http://forums.tomcoy...showtopic=31418
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Coyote's Installed programs for prevention:
http://forums.tomcoy...showtopic=31418
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
