Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log File


  • Please log in to reply
3 replies to this topic

#1 Ragnarok

Ragnarok

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 19 April 2005 - 08:31 AM

Greetings,

One of my end users is having a ton of pop up problems and icons on the desktop advertising sex, porn, etc... Here is the HJT log file. Can anyone help me?

Logfile of HijackThis v1.99.1
Scan saved at 8:27:34 AM, on 4/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms04627383355.exe
C:\WINDOWS\IEXPLOR.EXE
C:\WINDOWS\THDDDLL.EXE
C:\WINDOWS\THDDENC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\iimmpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\rmoz\rmozm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\rmoz\rmoza.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {41C8CF1D-08DA-7120-D38C-5540309CFA9C} - C:\WINDOWS\System32\cpcxbeps.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nse18.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [ms04627383355] C:\WINDOWS\ms04627383355.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitemav32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [THDDDLL] C:\WINDOWS\THDDDLL.EXE
O4 - HKLM\..\Run: [THDDENC] C:\WINDOWS\THDDENC.EXE
O4 - HKLM\..\Run: [rismso] c:\windows\system32\rismso.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iimmpr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [rmoz] C:\PROGRA~1\COMMON~1\rmoz\rmozm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...468/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\Software\..\Telephony: DomainName = eislogan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eislogan.com
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 20 April 2005 - 12:26 PM

  • Start--> Control Panel--> Add or Remove Programs--> Uninstall (if found) any instances of:
    iSearch

  • Please run full scans with Ad-Aware SE and Spybot-S&D as follows:
    (If you already have Ad-Aware SE 1.05 and Spybot 1.3 installed, you can skip the installation steps. If you don't, please uninstall your old versions and install the new ones from the links below.)

    Full Ad-Aware Scan
    Please download Ad-Aware SE from here:
    http://www.majorgeeks.com/download506.html
    Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

    Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
    1) Automatically save log-file
    2) Automatically quarantine objects prior to removal
    3) Safe Mode (always request confirmation)

    Click the "Scanning" button on the left-hand side and make sure the following options are selected:
    1) Scan within archives
    2) Scan active processes
    3) Scan registry
    4) Deep scan registry
    4) Scan my IE Favorites for banned URLs
    5) Scan my Hosts file

    Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
    1) Unload recognized processes & modules during scanning
    2) Obtain command line of scanned processes
    3) Scan registry for all users instead of current user only

    Click on "Cleaning Engine" and make sure the following options are selected:
    1) Always try to unload modules before deletion
    2) During removal, unload Explorer and IE if necessary
    3) Let Windows remove files in use at next reboot
    4) Delete quarantined objects after restoring

    Finally, click on "Safety Settings" and make sure the following options are selected:
    1) Automatically select problematic objects in results lists
    2) Write-protect system files after repair (Hosts file, etc)

    Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.

  • Spybot Full Scan
    Next, please download Spybot-S&D from here:
    http://shinobiresources.com/Downloads/spybot/spybotsd13.exe
    Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again.

  • Download this tool: http://users.pandora.be/bluepatchy/LQfix.zip
    Unzip it to your Desktop.
    Don't use it yet!

    Reboot your computer into safe mode (Instructions)

    Doubleclick LQfix.bat that you saved on your desktop before.
    A doswindow will open and close again, this is normal.

  • Download Silent Runners
    Unzip it to a permanent folder.
    Start SilentRunners.vbs
    When your antivirus is giving an alert, do not block this. Allow the script.

  • Copy and paste the content of the txtfile you get afterwards in your next reply together with a new hijackthislog.


#3 Ragnarok

Ragnarok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 22 April 2005 - 12:50 PM

Ok, I have taken the steps you provided. Here are the new log files you requested. Silent Runners log is first followed by HJT log.

Thanks for all your help so far!


"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"rmoz" = "C:\PROGRA~1\COMMON~1\rmoz\rmozm.exe" [empty string]
"Z0p7RTdpU" = "ws2ay32.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Desktop Search" = "C:\WINDOWS\isrvs\desktop.exe" [empty string]
"ffis" = "C:\WINDOWS\isrvs\ffisearch.exe" [null data]
"sunasDTServ" = "C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe" ["Sunbelt Software Inc."]
"Default" = (no data)
"sunasServ" = "C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe" ["Sunbelt Software Inc."]
"SystemCheck" = "C:\WINDOWS\SysCheckBop32" ["nBrowser"]
"ms04627383355" = "C:\WINDOWS\ms04627383355.exe" ["EnBrowser"]
"C:\WINDOWS\IEXPLOR.EXE" = "C:\WINDOWS\IEXPLOR.EXE" ["Atix"]
"AtxBrw" = "C:\WINDOWS\IEXPLOR.exe" ["Atix"]
"THDDDLL" = "C:\WINDOWS\THDDDLL.EXE" ["UpdateMonitor"]
"THDDENC" = "C:\WINDOWS\THDDENC.EXE" ["System Service"]
"rismso" = "c:\windows\system32\rismso.exe" ["TODO: <Company name>"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"KavSvc" = "C:\WINDOWS\System32\iimmpr.exe" [null data]
"farmmext" = "C:\WINDOWS\farmmext.exe" ["FarmMext"]
"PSoft1" = "C:\WINDOWS\System32\psoft1.exe" [null data]
"exp.exe" = "C:\WINDOWS\System32\exp.exe" [null data]
"WinTask driver" = "C:\WINDOWS\System32\wintask.exe" [null data]
"BullsEye Network" = "C:\Program Files\BullsEye Network\bin\bargains.exe" ["eXact Advertising"]
"NaviSearch" = "C:\Program Files\NaviSearch\bin\nls.exe" ["eXact Advertising"]
"CashBack" = "C:\Program Files\CashBack\bin\cashback.exe" ["eXact Advertising"]
"VBouncer" = "C:\PROGRA~1\VBouncer\VirtualBouncer.exe" ["Spyware Labs"]
"WinTools" = "C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [null data]
"TBPS" = "C:\PROGRA~1\Toolbar\TBPS.exe" [null data]
"version" = "C:\WINDOWS\System32\Fvdmwb.exe" [empty string]
"secure" = "C:\WINDOWS\System32\Jhgmry.exe" [empty string]
"cqgfbnu" = "C:\WINDOWS\System32\lwfv\cqgfbnu.exe" [null data]
"kmubcocd" = "C:\WINDOWS\System32\hljch\kmubcocd.exe" [null data]
"scndi" = "C:\WINDOWS\System32\gptdfb\scndi.exe" [null data]
"kvlexabr" = "C:\WINDOWS\System32\bwhrvip\kvlexabr.exe" [null data]
"qhlhfapb" = "C:\WINDOWS\System32\pjmfaogu\qhlhfapb.exe" [null data]
"Win Server Updt" = "C:\WINDOWS\wupdt.exe" [null data]
"o36X33R" = "boofd.exe" [null data]
"AutoUpdater" = ""C:\Program Files\AutoUpdate\AutoUpdate.exe"" [null data]
"cfgmgr51" = "RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
88ef1bd4-19bb-460b-b49e-00a3891d5e64\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\System32\ddrrncm.exe" [null data]




HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:49:28 PM, on 4/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hljch\kmubcocd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\gptdfb\scndi.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms04627383355.exe
C:\WINDOWS\IEXPLOR.EXE
C:\WINDOWS\THDDDLL.EXE
C:\WINDOWS\THDDENC.EXE
C:\windows\system32\rismso.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\iimmpr.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\windows\system32\calc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\System32\Jhgmry.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\System32\lwfv\cqgfbnu.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\bwhrvip\kvlexabr.exe
C:\WINDOWS\System32\pjmfaogu\qhlhfapb.exe
C:\WINDOWS\System32\boofd.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\rmoz\rmozm.exe
C:\PROGRA~1\COMMON~1\rmoz\rmoza.exe
C:\WINDOWS\System32\ws2ay32.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\PROGRA~1\Toolbar\TBPS.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50221
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50221
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50221
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [ms04627383355] C:\WINDOWS\ms04627383355.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [THDDDLL] C:\WINDOWS\THDDDLL.EXE
O4 - HKLM\..\Run: [THDDENC] C:\WINDOWS\THDDENC.EXE
O4 - HKLM\..\Run: [rismso] c:\windows\system32\rismso.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\iimmpr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Fvdmwb.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Jhgmry.exe
O4 - HKLM\..\Run: [cqgfbnu] C:\WINDOWS\System32\lwfv\cqgfbnu.exe
O4 - HKLM\..\Run: [kmubcocd] C:\WINDOWS\System32\hljch\kmubcocd.exe
O4 - HKLM\..\Run: [scndi] C:\WINDOWS\System32\gptdfb\scndi.exe
O4 - HKLM\..\Run: [kvlexabr] C:\WINDOWS\System32\bwhrvip\kvlexabr.exe
O4 - HKLM\..\Run: [qhlhfapb] C:\WINDOWS\System32\pjmfaogu\qhlhfapb.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [o36X33R] boofd.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [rmoz] C:\PROGRA~1\COMMON~1\rmoz\rmozm.exe
O4 - HKCU\..\Run: [Z0p7RTdpU] ws2ay32.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...468/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\Software\..\Telephony: DomainName = eislogan.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eislogan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eislogan.com
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: kmubcocdhljch - Unknown owner - C:\WINDOWS\System32\hljch\kmubcocd.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: scndigptdfb - Unknown owner - C:\WINDOWS\System32\gptdfb\scndi.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 23 April 2005 - 07:12 AM

This log is a mess!
  • First we have to set up protection against further attacks.
    You don't already have them, but you need an antivirus that is updated, and a good firewall

    Firewall: Antivirus:
  • You need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts.
    You are running Windows XP so get updated to SP-1 After you are clean we'll install SP-2 but we have to wait untill you are clean!

  • Please run the Housecall online virus scan located at:
    http://housecall.trendmicro.com/housecall/start_corp.asp
    Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
    When the scan is finished, please restart your computer.

    Then please run the Panda scan here:
    http://www.pandasoftware.com/products/acti...n_principal.htm
    Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer.

    Finally, please run the WindowSecurity trojan scan here:
    http://www.windowsecurity.com/trojanscan/
    Remove any trojans found, and restart your computer.

  • Please run Ad-aware and Spybot S&D again in safe mode

  • After you've installed/updated/ran an antivirus + firewall + Service Pack 1 and you have ran Ad-aware and Spybot in safe mode
    Please reboot and post a new HJT log!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users