Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
2 replies to this topic

#1 jiggaman

jiggaman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 11 May 2005 - 09:12 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:40:29 PM, on 5/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\ethernet.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\SCardClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\msupdate.exe
C:\WINDOWS\System32\ctfmon.exe
C:\KMaestro\KMaestro.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\vanpnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\KMaestro\WTS_KEY.EXE
c:\windows\system32\rkwggm.exe
C:\WINDOWS\system\cfsclitrvs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\mcdqueen.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Underground Guest\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ietbhqioogiyjsbyhwgtcyy.info/wW6TMm...YtDsVx0lek.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/search.php?aff=7
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
O4 - HKLM\..\Run: [gram drive meet once] C:\Documents and Settings\All Users\Application Data\64 log gram drive\AdminThird.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [eTunnel] C:\sss.exe
O4 - HKLM\..\Run: [msfirewallz] C:\WINDOWS\System32\kernel32.dlI
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteybj32.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [G3] C:\WINDOWS\System32\GSMedia3.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vanpnp.exe
O4 - HKLM\..\Run: [innlsw] C:\WINDOWS\System32\innlsw.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [The Ethernet] ethernet.exe
O4 - HKLM\..\Run: [qnyblj] c:\windows\system32\rkwggm.exe
O4 - HKLM\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKLM\..\RunServices: [nowupdate.exe] C:\WINDOWS\System32\nowupdate.exe
O4 - HKLM\..\RunServices: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKLM\..\RunServices: [Generic Host Process326a System Backup] scvhost326a.exe
O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - HKLM\..\RunServices: [System Services] wkssvcd.exe
O4 - HKLM\..\RunServices: [The Ethernet] ethernet.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Underground Guest\Application Data\Microsoft\sr64\djhonejg.exe
O4 - HKCU\..\Run: [SlowDrv] C:\DOCUME~1\UNDERG~2\APPLIC~1\LESSRE~1\htm admin.exe
O4 - HKCU\..\Run: [ircf2] C:\WINDOWS\System32\RJ63JNMY.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [The Ethernet] ethernet.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [f0p3RiYtW] mcdqueen.exe
O4 - HKCU\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKCU\..\RunServices: [nowupdate.exe] C:\WINDOWS\System32\nowupdate.exe
O4 - HKCU\..\RunServices: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - HKCU\..\RunServices: [System Services] wkssvcd.exe
O4 - HKCU\..\RunServices: [The Ethernet] ethernet.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkinson.yorku.ca/qp2.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0025.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0027.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/mamm...l_mamma1003.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/website.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50252/QDow_AS2.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0027.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...482/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7898C49-C857-4DE1-B62C-2768C9D03679}: NameServer = 206.47.244.56 206.47.244.138
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\gpn2l35o1.dll
O21 - SSODL: System - {0DE706AC-7D34-454E-A321-61FAC4115232} - ssvmc.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Ethernet Service (EthernetService) - Unknown owner - C:\WINDOWS\SYSTEM32\ethernet.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: repls - Unknown owner - C:\WINDOWS\System32\repls.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:31 AM

Posted 12 May 2005 - 08:47 AM

Hi,

What a collection you have in here. Please stop visiting illegal sites. We need to perform this in several steps because we can't deal with it in once and most of them need a special treatment.

I strongly suggest you print out next instructions or save them in notepad because you have a lot of steps to take and it is really really important you don't miss any and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

* Download LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

* Please set your system to show all files; please see here if you're unsure how to do this.

*Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

Please download LSPfix and save it to the Desktop and unzip it.
Run LSPfix and place a check against the I know what I am doing checkbox.

Highlight every instance of the following name and move it from the Keep to the Remove panel. Be sure to move nothing other than the file listed below!

aklsp.dll

When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

Download CWShredder. Start CWShredder and click FIX

* Please download ewido:
http://www.ewido.net/en/download/
Let it update, but don't let it scan yet!!

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ietbhqioogiyjsbyhwgtcyy.info/wW6TMm...YtDsVx0lek.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/search.php?aff=7
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
O4 - HKLM\..\Run: [gram drive meet once] C:\Documents and Settings\All Users\Application Data\64 log gram drive\AdminThird.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKLM\..\Run: [eTunnel] C:\sss.exe
O4 - HKLM\..\Run: [msfirewallz] C:\WINDOWS\System32\kernel32.dlI
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteybj32.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [G3] C:\WINDOWS\System32\GSMedia3.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vanpnp.exe
O4 - HKLM\..\Run: [innlsw] C:\WINDOWS\System32\innlsw.exe
O4 - HKLM\..\Run: [The Ethernet] ethernet.exe
O4 - HKLM\..\Run: [qnyblj] c:\windows\system32\rkwggm.exe
O4 - HKLM\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKLM\..\RunServices: [nowupdate.exe] C:\WINDOWS\System32\nowupdate.exe
O4 - HKLM\..\RunServices: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKLM\..\RunServices: [Generic Host Process326a System Backup] scvhost326a.exe
O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - HKLM\..\RunServices: [System Services] wkssvcd.exe
O4 - HKLM\..\RunServices: [The Ethernet] ethernet.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Underground Guest\Application Data\Microsoft\sr64\djhonejg.exe
O4 - HKCU\..\Run: [SlowDrv] C:\DOCUME~1\UNDERG~2\APPLIC~1\LESSRE~1\htm admin.exe
O4 - HKCU\..\Run: [ircf2] C:\WINDOWS\System32\RJ63JNMY.exe
O4 - HKCU\..\Run: [The Ethernet] ethernet.exe
O4 - HKCU\..\Run: [f0p3RiYtW] mcdqueen.exe
O4 - HKCU\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKCU\..\RunServices: [nowupdate.exe] C:\WINDOWS\System32\nowupdate.exe
O4 - HKCU\..\RunServices: [rundl.exe] C:\WINDOWS\System32\rundl.exe
O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - HKCU\..\RunServices: [System Services] wkssvcd.exe
O4 - HKCU\..\RunServices: [The Ethernet] ethernet.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.media-motor.net
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.206/Java/cfs31229.cab
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...Bridge-c139.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0025.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0027.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/mamm...l_mamma1003.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/website.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50252/QDow_AS2.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0027.exe
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7898C49-C857-4DE1-B62C-2768C9D03679}: NameServer = 206.47.244.56 206.47.244.138
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\gpn2l35o1.dll
O21 - SSODL: System - {0DE706AC-7D34-454E-A321-61FAC4115232} - ssvmc.dll (file missing)
O23 - Service: Ethernet Service (EthernetService) - Unknown owner - C:\WINDOWS\SYSTEM32\ethernet.exe
O23 - Service: repls - Unknown owner - C:\WINDOWS\System32\repls.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.

* Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.


* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\ethernet.exe
C:\WINDOWS\System32\SCardClnt.exe
C:\WINDOWS\system32\msupdate.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\vanpnp.exe
c:\windows\system32\rkwggm.exe
C:\WINDOWS\system\cfsclitrvs.exe
C:\WINDOWS\System32\mcdqueen.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\DrPmon.dll
C:\PROGRAM FILES\YOURSITEBAR <== folder
C:\WINDOWS\System32\winupdate.exe
C:\WINDOWS\System32\sysme.exe
C:\Documents and Settings\All Users\Application Data\64 log gram drive <== folder
C:\WINDOWS\Downloaded Program Files\bridge.dll
C:\WINDOWS\System32\rundl.exe <== watch the spelling!!!!
C:\sss.exe
C:\WINDOWS\System32\canada.exe
C:\WINDOWS\System32\psoft1.exe
C:\WINDOWS\System32\GSMedia3.exe
C:\WINDOWS\System32\innlsw.exe
C:\WINDOWS\System32\nowupdate.exe
C:\Documents and Settings\Underground Guest\Application Data\Microsoft\sr64 <== folder
C:\DOCUMENTS AND SETTINGS\Underground Guest\APPLICATION DATA\LESSRE.. <== folder (starts with these letters)
C:\WINDOWS\System32\RJ63JNMY.exe
C:\Program Files\Ebates_MoeMoneyMaker <== folder
C:\WINDOWS\System32\repls.exe
C:\WINDOWS\svcproc.exe

* Go to start > run and type: sc delete SvcProc

* Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode perform a full scan with ewido and let it delete everything it is finding!
When done, you'll get the option to make a log and save it.
So save it because I'll need it later.

* Reboot your system back to normal mode.

* Perform an onlinescan with Kaspersky OnLine and/or Bitdefender (select here autoclean) and let it delete everything it is finding.

When done, Post back a fresh HijackThis log + the log from ewido and I'll take another look.

If you had any problems with deleting files or noticed any other problems during your fix, let me also know in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:31 AM

Posted 22 May 2005 - 09:40 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users