Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Can I Please Get Hepl With My Log


  • This topic is locked This topic is locked
14 replies to this topic

#1 redddogg

redddogg

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 04 May 2007 - 07:38 AM

My PC keeps crashing and IE.exe keeps popping up. It also keeps telling me to debug. Thanks in advanced. J.J. My Log: Logfile of HijackThis v1.99.1 Scan saved at 8:31:05 AM, on 5/4/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182 O2 - BHO: (no name) - {59d034cf-2a91-4e72-b9c5-039fde93ddd0} - C:\WINDOWS\system32\drmdex.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll O20 - Winlogon Notify: drmdex - C:\WINDOWS\SYSTEM32\drmdex.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat O21 - SSODL: rUlkqwytSf - {90A7CCF8-3A0D-6652-CA90-137091E9E94E} - C:\WINDOWS\System32\axks.dll O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 May 2007 - 06:49 AM

Hello and welcome to the forum

I see no protection at all on your PC :ph34r:

Click the HERE and Save, Install, Update and run a full scan.


Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 redddogg

redddogg

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 May 2007 - 07:58 AM

I have Sytem Mechanic7 Pro on my system (trial) but when I try to run it it says im in safemode.

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 May 2007 - 08:00 AM

Get the free anti-virus program I posted above and run the scan.

Reviews aren't very good.

http://www.amazon.co...o/dp/B000LJTH1I

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 redddogg

redddogg

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 May 2007 - 11:19 AM

I did what u told me now I cannot get online with that pc now. I can ping but I think my browser got hijacked. AVG found 141 trojans and when I open firefox now I keep getting exe threats. Im gonna post my log when I can get online or figure out how to get it to another pc that can connect online.

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 May 2007 - 11:24 AM

Your pc is badly infected.

Lets see if we can get the PC back on the internet. This file will fit on a floppy or thumb drive.

Get a copy of winsockxpfix.exe You just run it and
things should work OK after it reboots your system.

http://www.snapfiles...nsockxpfix.html

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 redddogg

redddogg

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 May 2007 - 05:54 PM

FINALLY...thanks Im back on. Firefox kept asking for proxy localhost port 8182. This is my latest log: Logfile of HijackThis v1.99.1 Scan saved at 6:48:22 PM, on 5/5/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe O2 - BHO: (no name) - {59d034cf-2a91-4e72-b9c5-039fde93ddd0} - C:\WINDOWS\system32\drmdex.dll (file missing) O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O20 - AppInit_DLLs: O20 - Winlogon Notify: drmdex - drmdex.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat O21 - SSODL: rUlkqwytSf - {90A7CCF8-3A0D-6652-CA90-137091E9E94E} - C:\WINDOWS\System32\axks.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 May 2007 - 06:07 PM

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean,

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Click Start > Run > and type in:

services.msc

Click OK.

In the services window find TCP and UDP Supp0rt
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.



Close all windows and browsers.
Open HijackThis

Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the files below to select it:
C:\WINDOWS\9129837.exe
C:\WINDOWS\System32\__c006EA13.dat
C:\WINDOWS\System32\axks.dll
C:\WINDOWS\System32\tccpip.exe


Click on the Back button to exit Process Manager


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O2 - BHO: (no name) - {59d034cf-2a91-4e72-b9c5-039fde93ddd0} - C:\WINDOWS\system32\drmdex.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: drmdex - drmdex.dll (file missing)
O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat
O21 - SSODL: rUlkqwytSf - {90A7CCF8-3A0D-6652-CA90-137091E9E94E} - C:\WINDOWS\System32\axks.dll (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"



Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 redddogg

redddogg

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 May 2007 - 06:45 PM

Im lost up to this point: Click on Delete a File On Reboot Click once on the files below to select it: C:\WINDOWS\9129837.exe C:\WINDOWS\System32\__c006EA13.dat C:\WINDOWS\System32\axks.dll C:\WINDOWS\System32\tccpip.exe Click on the Back button to exit Process Manager Once I click on Delete a file on Reboot the window pops up like if I was saving a file. I never got: C:\WINDOWS\9129837.exe C:\WINDOWS\System32\__c006EA13.dat C:\WINDOWS\System32\axks.dll C:\WINDOWS\System32\tccpip.exe

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 May 2007 - 06:51 PM

Did you insert all the files? If so, just move on with the fix :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 redddogg

redddogg

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 May 2007 - 07:38 PM

My log: Logfile of HijackThis v1.99.1 Scan saved at 8:30:07 PM, on 5/5/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijackthis\HijackThis.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe The problems im having are. The pc will reboot itself 2 or 3 times when I first turn on then it says windows encountered a serious problem, Alot of popups, I noticed every 8 secs the hour glass (pointer) comes on for a half a sec. when I try to use firefox it keeps looking for localhost port 8182 everytime I clear it it comes back

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 May 2007 - 07:43 PM

Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\__c006EA13]


On the desktop, doubleclick fix.reg and allow it to run. Let it merge.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O20 - Winlogon Notify: __c006EA13 - C:\WINDOWS\System32\__c006EA13.dat (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
C:\WINDOWS\System32\__c006EA13.dat


Empty Recycle Bin

Restart your computer.

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 redddogg

redddogg

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 May 2007 - 08:09 PM

My log Logfile of HijackThis v1.99.1 Scan saved at 9:04:28 PM, on 5/5/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Hijackthis\HijackThis.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe Is there a reason why I have to keep clearing the proxy in firefox?

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 May 2007 - 06:46 AM

I don't know, you may want to search in the Mozilla forums for any hint on that error code.


You can remove any programs I had you install. Use Add/Remove Programs to remove if listed there otherwise just delete them and empty recycle bin.

Log looks good :D


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.



If you dont have any programs like these, I would recommend that you get them.
Spywareblaster,
Spywareguard.


Also get a FREE FIREWALL and FREE ANTI VIRUS if you need one.

Only run one Anti-Virus and Firewall program.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Do not use Ad-aware if you have McAfee's VirusScan and AntiSpyware


Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 May 2007 - 05:34 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users