Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something disabling McAfee


  • Please log in to reply
3 replies to this topic

#1 dylanj

dylanj

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 11 February 2005 - 04:37 PM

Folks,

I'm dealing with a Windows computer (Windows 2000, SP4) that has becone infested with viruses and spyware. I've cleaned a lot of it with Spybot and Ad Aware, but something's still disabling the antivirus (McAfee Enterprise). I've run McAfee over the LAN, and it found several viruses/trojans, but I still can't enable the virus scanner.

(Unfortunately, switching web browsers isn't an option for this computer.)

I've posted the HikackThis log below. Any immediately obvious problems that may be causing this? Thanks!

Logfile of HijackThis v1.99.0
Scan saved at 1:47:09 PM, on 2/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\cdosrv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: SDWin32 Class - {03BB0433-3B25-4E85-978B-AE006513C138} - C:\WINNT\system32\oerho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {0BC6A3E3-D8DB-D42F-AD38-C618D644035F} - C:\WINNT\system32\frmvxfey.dll
O2 - BHO: (no name) - {120421C0-F41F-4F96-A766-E685DB0172ED} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {2EE88283-CE25-54CD-B124-9C7C8CEE794C} - C:\WINNT\system32\uzzzktac.dll
O2 - BHO: (no name) - {2F9F3B1A-181C-4B57-B343-5233C42A7BF7} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {45FDD85E-E69F-41F2-8D59-2418ABFB991F} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DDFFF58-5121-FA5A-CD75-1F169112ABE2} - C:\WINNT\system32\ckztxtsd.dll
O2 - BHO: (no name) - {5F4A3411-8E75-4BFD-B973-C21BE8FB1900} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {6540B2BD-E61E-479F-A392-1427F23BB855} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: SDWin32 Class - {6736DCC1-A1C7-455B-8049-A5302669DA91} - C:\WINNT\system32\ngihx.dll
O2 - BHO: (no name) - {69987CFF-A878-4530-A768-B0C3C6088FFF} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {8284A618-ED1A-4886-8BFE-E0A8BE713A78} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {9C43CF65-0609-7039-A40C-235868112FDF} - C:\WINNT\system32\pilxjtsc.dll
O2 - BHO: (no name) - {ACAD513B-A633-4F54-9DDA-3D12D8830255} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {AE7E907D-292C-4524-B7C9-DEFD86B2D96D} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {B044A3B7-F204-41F7-9631-CC548529EF2D} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {B58F005F-6B8F-4570-9458-FBFBFFFB5080} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {B7F56E12-D24B-3917-A375-1F7C6723AB0C} - C:\WINNT\system32\bdcuxqgw.dll
O2 - BHO: (no name) - {B8FADB9B-F625-44C3-84F2-85FABED4DF04} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {B93D384D-1F00-4999-9DE9-25CC7B8DF049} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {C6E7432F-60C6-4993-8B92-127FFB6A2A0A} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {CD1D6229-5CA4-4404-8620-A4C3FF3CEB78} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {DC5F6439-B4A6-E9BB-F9CA-F597A3DB4E5E} - C:\WINNT\system32\mfjkysar.dll
O2 - BHO: (no name) - {E1CC9854-4203-45D3-92FA-978FCF254FCC} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {ED206A8D-A794-4060-826C-FACEA1583A0A} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {FA6ED3B2-2DF1-DE9C-73B4-80F52E97CB2E} - C:\WINNT\system32\loxmalez.dll
O2 - BHO: (no name) - {FF6935C0-832F-1510-A302-F71A35F12A2E} - C:\WINNT\system32\msmupttx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [*pcdos] C:\WINNT\system32\Macromed\pcdos.exe
O4 - HKLM\..\Run: [m3a33diu] C:\Program Files\m3a33diu\m3a33diu.exe
O4 - HKLM\..\Run: [ngihxc] C:\WINNT\system32\ngihxc.exe
O4 - HKLM\..\Run: [oerhoc] C:\WINNT\system32\oerhoc.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [4F9Q3tR] cmdsrv32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [gnecabqv] C:\WINNT\system32\gnecabqv.exe
O4 - HKLM\..\Run: [mtxuaijg] C:\WINNT\system32\mtxuaijg.exe
O4 - HKLM\..\Run: [aqimeasq] C:\WINNT\system32\aqimeasq.exe
O4 - HKLM\..\Run: [npnspgpy] C:\WINNT\system32\npnspgpy.exe
O4 - HKLM\..\Run: [AutoLoader4sqa1ZMkNaXO] "C:\WINNT\system32\cmdsrv32.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [Loq4RjdmW] cdosrv.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {253B9A97-85A4-4F31-BC94-88D6E3FFEC52} (Audit Object) - http://factory/service/downloads/TrackitAudit.cab
O16 - DPF: {74FB8CE6-912D-46B6-9A87-869B83A71CA8} (BOSIActiveFormX Control) - http://factory/service/downloads/BOSIActiveXGrid.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {92A0A6CF-2A89-45A4-A3D0-CC13938EE146} (BOSIRichEditX Control) - http://factory/service/downloads/BOSIActiveXMemoControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Stellar.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BCC81BD-CBDE-458D-BD5E-2CA783700A04}: NameServer = 12.127.17.71,192.168.123.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Stellar.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BCC81BD-CBDE-458D-BD5E-2CA783700A04}: NameServer = 12.127.17.71,192.168.123.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Stellar.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5BCC81BD-CBDE-458D-BD5E-2CA783700A04}: NameServer = 12.127.17.71,192.168.123.2
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:24 AM

Posted 12 February 2005 - 04:43 PM

Hi dylanj

We need you to fix the following entries please. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: SDWin32 Class - {03BB0433-3B25-4E85-978B-AE006513C138} - C:\WINNT\system32\oerho.dll
O2 - BHO: (no name) - {0BC6A3E3-D8DB-D42F-AD38-C618D644035F} - C:\WINNT\system32\frmvxfey.dll
O2 - BHO: (no name) - {120421C0-F41F-4F96-A766-E685DB0172ED} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {2EE88283-CE25-54CD-B124-9C7C8CEE794C} - C:\WINNT\system32\uzzzktac.dll
O2 - BHO: (no name) - {2F9F3B1A-181C-4B57-B343-5233C42A7BF7} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {45FDD85E-E69F-41F2-8D59-2418ABFB991F} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {5DDFFF58-5121-FA5A-CD75-1F169112ABE2} - C:\WINNT\system32\ckztxtsd.dll
O2 - BHO: (no name) - {5F4A3411-8E75-4BFD-B973-C21BE8FB1900} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {6540B2BD-E61E-479F-A392-1427F23BB855} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: SDWin32 Class - {6736DCC1-A1C7-455B-8049-A5302669DA91} - C:\WINNT\system32\ngihx.dll
O2 - BHO: (no name) - {69987CFF-A878-4530-A768-B0C3C6088FFF} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {8284A618-ED1A-4886-8BFE-E0A8BE713A78} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {9C43CF65-0609-7039-A40C-235868112FDF} - C:\WINNT\system32\pilxjtsc.dll
O2 - BHO: (no name) - {ACAD513B-A633-4F54-9DDA-3D12D8830255} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {AE7E907D-292C-4524-B7C9-DEFD86B2D96D} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {B044A3B7-F204-41F7-9631-CC548529EF2D} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {B58F005F-6B8F-4570-9458-FBFBFFFB5080} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {B7F56E12-D24B-3917-A375-1F7C6723AB0C} - C:\WINNT\system32\bdcuxqgw.dll
O2 - BHO: (no name) - {B8FADB9B-F625-44C3-84F2-85FABED4DF04} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {B93D384D-1F00-4999-9DE9-25CC7B8DF049} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {C6E7432F-60C6-4993-8B92-127FFB6A2A0A} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {CD1D6229-5CA4-4404-8620-A4C3FF3CEB78} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {DC5F6439-B4A6-E9BB-F9CA-F597A3DB4E5E} - C:\WINNT\system32\mfjkysar.dll
O2 - BHO: (no name) - {E1CC9854-4203-45D3-92FA-978FCF254FCC} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {ED206A8D-A794-4060-826C-FACEA1583A0A} - C:\Program Files\m3a33diu\m3a33diu.dll
O2 - BHO: (no name) - {FA6ED3B2-2DF1-DE9C-73B4-80F52E97CB2E} - C:\WINNT\system32\loxmalez.dll
O2 - BHO: (no name) - {FF6935C0-832F-1510-A302-F71A35F12A2E} - C:\WINNT\system32\msmupttx.dll
O4 - HKLM\..\Run: [*pcdos] C:\WINNT\system32\Macromed\pcdos.exe
O4 - HKLM\..\Run: [m3a33diu] C:\Program Files\m3a33diu\m3a33diu.exe
O4 - HKLM\..\Run: [ngihxc] C:\WINNT\system32\ngihxc.exe
O4 - HKLM\..\Run: [oerhoc] C:\WINNT\system32\oerhoc.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [4F9Q3tR] cmdsrv32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [gnecabqv] C:\WINNT\system32\gnecabqv.exe
O4 - HKLM\..\Run: [mtxuaijg] C:\WINNT\system32\mtxuaijg.exe
O4 - HKLM\..\Run: [aqimeasq] C:\WINNT\system32\aqimeasq.exe
O4 - HKLM\..\Run: [npnspgpy] C:\WINNT\system32\npnspgpy.exe
O4 - HKLM\..\Run: [AutoLoader4sqa1ZMkNaXO] "C:\WINNT\system32\cmdsrv32.exe"
O4 - HKCU\..\Run: [Loq4RjdmW] cdosrv.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\system32\Macromed\pcdos.exe <--Delete File
C:\Program Files\m3a33diu\m3a33diu.exe <--Delete File
C:\WINNT\system32\ngihxc.exe <--Delete File
C:\WINNT\system32\oerhoc.exe <--Delete File
C:\Program Files\hpdll\hpdll.exe <--Delete Folder
C:\WINNT\isrvs\desktop.exe <--Delete File
C:\WINNT\isrvs\ffisearch.exe <--Delete File
C:\WINNT\system32\gnecabqv.exe <--Delete File
C:\WINNT\system32\mtxuaijg.exe <--Delete File
C:\WINNT\system32\aqimeasq.exe <--Delete File
C:\WINNT\system32\npnspgpy.exe <--Delete File
C:\WINNT\system32\cmdsrv32.exe <--Delete File
C:\WINNT\system32\ cdosrv.exe <--Delete File
C:\WINNT\system32\sysmonnt
C:\WINNT\isrvs\mfiltis.dll

Reboot your computer to go back to normal mode and post a new log.

#3 dylanj

dylanj
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 14 February 2005 - 07:07 PM

Thanks! Ok, a lot of the spyware's cleaned up, however, McAfee's still disabled. Here's the new scan:

Logfile of HijackThis v1.99.0
Scan saved at 4:07:34 PM, on 2/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\rjtluczu5.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\xaznxgop.exe
C:\WINNT\system32\iqkvqolj.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {0AF25F04-F55B-21B7-A7B6-BCEDB516AD5F} - C:\WINNT\system32\pdhbmeez.dll
O2 - BHO: (no name) - {0BC6A3E3-D8DB-D42F-AD38-C618D644035F} - (no file)
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: (no name) - {133685AF-5CAE-E648-74E7-318751B29E86} - C:\WINNT\system32\olvhrafk.dll
O2 - BHO: (no name) - {1895B42B-5B01-4E89-B287-9E130FDC6822} - C:\Program Files\m3a33diu\m3a33diu.dll (file missing)
O2 - BHO: (no name) - {2EE88283-CE25-54CD-B124-9C7C8CEE794C} - (no file)
O2 - BHO: (no name) - {317E84A2-0675-0E22-6524-078FED8B6B2A} - C:\WINNT\system32\beadsrio.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DDFFF58-5121-FA5A-CD75-1F169112ABE2} - (no file)
O2 - BHO: SDWin32 Class - {6736DCC1-A1C7-455B-8049-A5302669DA91} - C:\WINNT\system32\ngihx.dll
O2 - BHO: (no name) - {6BB24534-8E74-65D7-6CF5-241F273D5AFF} - C:\WINNT\system32\vgqspcds.dll
O2 - BHO: (no name) - {9227F49A-374D-4A47-0912-6842C3DE9089} - C:\WINNT\system32\pdhbmeez.dll
O2 - BHO: (no name) - {9C43CF65-0609-7039-A40C-235868112FDF} - (no file)
O2 - BHO: (no name) - {A59BCF52-899A-B5E1-E66A-D9BBE598DC03} - C:\WINNT\system32\xfdxtmhf.dll
O2 - BHO: (no name) - {B25F78E2-9150-AB9E-1E9B-DE0FC378B72A} - C:\WINNT\system32\mrodakzg.dll
O2 - BHO: (no name) - {B7F56E12-D24B-3917-A375-1F7C6723AB0C} - (no file)
O2 - BHO: (no name) - {DC5F6439-B4A6-E9BB-F9CA-F597A3DB4E5E} - (no file)
O2 - BHO: (no name) - {EC488201-0C75-7CA7-1910-95AB8253BA2C} - C:\WINNT\system32\pxtbdudk.dll
O2 - BHO: (no name) - {FA6ED3B2-2DF1-DE9C-73B4-80F52E97CB2E} - (no file)
O2 - BHO: (no name) - {FF6935C0-832F-1510-A302-F71A35F12A2E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [xaznxgop] C:\WINNT\system32\xaznxgop.exe
O4 - HKLM\..\Run: [iqkvqolj] C:\WINNT\system32\iqkvqolj.exe
O4 - HKCU\..\Run: [Loq4RjdmW] d0cmsd.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - https://java.sun.com/products/plugin/autodl...indows-i586.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Stellar.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BCC81BD-CBDE-458D-BD5E-2CA783700A04}: NameServer = 12.127.17.71,192.168.123.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Stellar.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BCC81BD-CBDE-458D-BD5E-2CA783700A04}: NameServer = 12.127.17.71,192.168.123.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Stellar.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5BCC81BD-CBDE-458D-BD5E-2CA783700A04}: NameServer = 12.127.17.71,192.168.123.2
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ehdeusibwzcr - Unknown - C:\WINNT\system32\rjtluczu5.exe

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:24 AM

Posted 20 February 2005 - 02:03 PM

Sorry was away for a bit dylanj
We need you to fix the following entries please. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {0AF25F04-F55B-21B7-A7B6-BCEDB516AD5F} - C:\WINNT\system32\pdhbmeez.dll
O2 - BHO: (no name) - {0BC6A3E3-D8DB-D42F-AD38-C618D644035F} - (no file)
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: (no name) - {133685AF-5CAE-E648-74E7-318751B29E86} - C:\WINNT\system32\olvhrafk.dll
O2 - BHO: (no name) - {1895B42B-5B01-4E89-B287-9E130FDC6822} - C:\Program Files\m3a33diu\m3a33diu.dll (file missing)
O2 - BHO: (no name) - {2EE88283-CE25-54CD-B124-9C7C8CEE794C} - (no file)
O2 - BHO: (no name) - {317E84A2-0675-0E22-6524-078FED8B6B2A} - C:\WINNT\system32\beadsrio.dll
O2 - BHO: (no name) - {5DDFFF58-5121-FA5A-CD75-1F169112ABE2} - (no file)
O2 - BHO: SDWin32 Class - {6736DCC1-A1C7-455B-8049-A5302669DA91} - C:\WINNT\system32\ngihx.dll
O2 - BHO: (no name) - {6BB24534-8E74-65D7-6CF5-241F273D5AFF} - C:\WINNT\system32\vgqspcds.dll
O2 - BHO: (no name) - {9227F49A-374D-4A47-0912-6842C3DE9089} - C:\WINNT\system32\pdhbmeez.dll
O2 - BHO: (no name) - {9C43CF65-0609-7039-A40C-235868112FDF} - (no file)
O2 - BHO: (no name) - {A59BCF52-899A-B5E1-E66A-D9BBE598DC03} - C:\WINNT\system32\xfdxtmhf.dll
O2 - BHO: (no name) - {B25F78E2-9150-AB9E-1E9B-DE0FC378B72A} - C:\WINNT\system32\mrodakzg.dll
O2 - BHO: (no name) - {B7F56E12-D24B-3917-A375-1F7C6723AB0C} - (no file)
O2 - BHO: (no name) - {DC5F6439-B4A6-E9BB-F9CA-F597A3DB4E5E} - (no file)
O2 - BHO: (no name) - {EC488201-0C75-7CA7-1910-95AB8253BA2C} - C:\WINNT\system32\pxtbdudk.dll
O2 - BHO: (no name) - {FA6ED3B2-2DF1-DE9C-73B4-80F52E97CB2E} - (no file)
O2 - BHO: (no name) - {FF6935C0-832F-1510-A302-F71A35F12A2E} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [xaznxgop] C:\WINNT\system32\xaznxgop.exe
O4 - HKLM\..\Run: [iqkvqolj] C:\WINNT\system32\iqkvqolj.exe
O4 - HKCU\..\Run: [Loq4RjdmW] d0cmsd.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: ehdeusibwzcr - Unknown - C:\WINNT\system32\rjtluczu5.exe


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\PROGRA~1\VBouncer\VirtualBouncer.exe <-- Delete Folder
C:\WINNT\isrvs\desktop.exe <-- Delete File
C:\WINNT\isrvs\ffisearch.exe <-- Delete File
C:\Program Files\AutoUpdate\AutoUpdate.exe <-- Delete Folder
stlb2.dll
C:\WINNT\system32\xaznxgop.exe <-- Delete File
C:\WINNT\system32\iqkvqolj.exe <-- Delete File
d0cmsd.exe <-- Delete File
C:\WINNT\isrvs\mfiltis.dll
C:\WINNT\system32\rjtluczu5.exe <-- Delete File


Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users