Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91634 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] I NEED HELP A.S.A.P.


  • This topic is locked This topic is locked
4 replies to this topic

#1 yourcoolbub

yourcoolbub

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 03 June 2008 - 07:18 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:24 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {b3e673e1-2553-189a-3a04-bee3813853f1} - {1f358318-3eeb-40a3-a981-35521e376e3b} - C:\WINDOWS\system32\ldoejblr.dll
O2 - BHO: (no name) - {438310B5-1EB7-4D38-924B-2D73F71783EE} - C:\WINDOWS\system32\mlJAsqpo.dll
O2 - BHO: (no name) - {4DD4C0BF-CD61-4E87-8CCC-4B073DDEAE6B} - C:\WINDOWS\system32\awtqoLEw.dll
O2 - BHO: (no name) - {5AFC6C91-01DA-456B-9BFD-7CC77964DA78} - C:\WINDOWS\system32\cbXNHYoM.dll
O2 - BHO: (no name) - {84276A31-F98E-498D-9490-DEEB3DB482D2} - C:\WINDOWS\system32\geBroLEv.dll
O2 - BHO: (no name) - {874DBF50-5162-45CC-95FB-D17BA449B8F8} - C:\WINDOWS\system32\fccccDvV.dll
O2 - BHO: (no name) - {8DC8CB63-1B2B-4544-875B-6B3A81E03A07} - C:\WINDOWS\system32\mlJBSlKB.dll
O2 - BHO: (no name) - {8EE72EA5-918F-4A65-AC89-3A0B5FA0D115} - C:\WINDOWS\system32\xxyaabCt.dll
O2 - BHO: (no name) - {A1CA2CFC-F1D2-4604-86BE-78135B48C367} - C:\WINDOWS\system32\cbXNHAsq.dll
O2 - BHO: (no name) - {A20D223E-6798-4533-BFBD-E8FF3A0C36A0} - C:\WINDOWS\system32\vtUmJBTm.dll
O2 - BHO: (no name) - {AC1DFC31-09E7-4116-92E4-4C13942EDDF1} - C:\WINDOWS\system32\mlJCSlMg.dll
O2 - BHO: (no name) - {C0F39D64-B51E-4D8F-82AB-22BA4D9128C5} - C:\WINDOWS\system32\ssqrssRL.dll (file missing)
O2 - BHO: (no name) - {CD6FFED6-6535-45F8-A714-DBA7800835B6} - C:\WINDOWS\system32\byXQIAqp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\arpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [{F4-4D-DD-DA-DW}] C:\windows\system32\jnwnw64m.exe DWramXX
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ocntokdm.exe DWramXX
O4 - HKLM\..\Run: [74df4d75] rundll32.exe "C:\WINDOWS\system32\drjjbttw.dll",b
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMedia] C:\361101032253584.exe
O4 - HKCU\..\Run: [Winsvr] C:\3611010322516384.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [BM77ec7ee9] Rundll32.exe "C:\WINDOWS\system32\rkokaqmd.dll",s
O4 - HKCU\..\Run: [A00F24DDBE.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F24DDBE.exe
O4 - HKCU\..\Run: [A00F281971.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F281971.exe
O4 - HKCU\..\Run: [A00F72CCA.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F72CCA.exe
O4 - HKCU\..\Run: [A00F41048.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F41048.exe
O4 - HKCU\..\Run: [A00F77EE2.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F77EE2.exe
O4 - HKCU\..\Run: [A00FB4DFB.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00FB4DFB.exe
O4 - HKCU\..\Run: [A00F120B14.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F120B14.exe
O4 - HKCU\..\Run: [A00F100A8C5.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F100A8C5.exe
O4 - HKLM\..\Policies\Explorer\Run: [isamonitor.exe] C:\Program Files\Video ActiveX Object\isamonitor.exe
O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Program Files\Video ActiveX Object\pmsngr.exe
O4 - Global Startup: IEEE802.11b WLAN Card Utility.lnk = C:\Program Files\Wireless\WE302R\Gcc.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...od/install.html
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1172278013125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1211753611000
O16 - DPF: {CT id=e codeBase=http://www.www2.p0rt2.com/files/epl99bf2.cab classid=clsid:33331111-1111-1111-1111-615111193427} -
O20 - Winlogon Notify: __c00957C6 - C:\WINDOWS\system32\__c00957C6.dat
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8433 bytes

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,135 posts

Posted 03 June 2008 - 07:32 PM

Hi yourcoolbub, and Welcome to WhatTheTech

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#3 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,135 posts

Posted 03 June 2008 - 09:48 PM

yourcoolbub,


A. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

B. Now we must disable some of your security programs so that they do not interfere with the running of our tools:

MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


Go to Posted Image -> Run -> copy/paste the following single line command in the runbox & click OK

"%userprofile%\desktop\combofix.exe" /killall

Posted Image
  • DO NOT USE your computer for any other purpose while ComboFix is running.
  • ComboFix may restart your computer, this is normal.
  • When finished, it will produce a log, ComboFix.txt.
  • Please post ComboFix.txt in your next reply along with a new HijackThis log.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,135 posts

Posted 08 June 2008 - 06:41 PM

yourcoolbub, How's it going? Are you having any trouble with the instructions?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#5 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 10 June 2008 - 10:19 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users