Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - My computer is, once again, acting horribly.


  • This topic is locked This topic is locked
6 replies to this topic

#1 Orodalf

Orodalf

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 21 February 2009 - 02:43 PM

I originally saw msas2009, which I recognized as Rogue Software. I got rid of it via HJT. Then, I started seeing reader_s, CcEvt, and some others.

This is getting ridiculous; I just did a Repair Install a week ago, and my computer was working fine.

Please help.

Oh, also: I continually run MBAM, trying to get rid of this crap. However, after it does so, the crap somehow reinstalls itself. Now, MBAM won't start. Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:07 PM, on 2/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/nph-en...sm&sstring=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7070
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\TEMP\init.exe,
O2 - BHO: C:\WINDOWS\system32\eawdh3hbg87dkjn.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\eawdh3hbg87dkjn.dll
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Isikurogehud] rundll32.exe "C:\WINDOWS\Exuhocozi.dll",e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [yxfmr15af3lqw4ioykuw2izy4qgm7e3cel2zc4z3] C:\WINDOWS\TEMP\c9o7dyy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [cfl2ac9lqql] C:\WINDOWS\TEMP\vq9c5lx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [b7rk3jas0z9h35ucxyzmfaxfkeeyt59] C:\WINDOWS\TEMP\nmmdcqqqoc2bo.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [b9pkzzu1grdtstjkb5e1pqlulblm9anvpmrz0usos90bg4fexc] C:\WINDOWS\TEMP\hvauayhfvjt7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [cf3swrh8ll4j7920j5f4476e325] C:\WINDOWS\TEMP\hvzukfjeq5.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [zzjtzgwh.exe] C:\WINDOWS\zzjtzgwh.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tjbqdggg.exe] C:\WINDOWS\tjbqdggg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [dbxnxcqd.exe] C:\WINDOWS\dbxnxcqd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [bndikqcd.exe] C:\WINDOWS\bndikqcd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [phnzjvcy.exe] C:\WINDOWS\phnzjvcy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [y6wy849lq99qzohstmvxqcpzi0dvd7uk] C:\WINDOWS\TEMP\l26y1lrw44ak.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [y7ar4mbm9qya0fxx968muq97h4n3aow8uro60t700] C:\WINDOWS\TEMP\fuawqlrf9oppc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [wj4iqcq3h3t6vy51s7ebm7s110xugz] C:\WINDOWS\TEMP\c2bf8sdatv6a0.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [qfo8i5965e8joge] C:\WINDOWS\TEMP\csys0umhoy12z.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xko3uujxa19jyrg] C:\WINDOWS\TEMP\wpkcqtjye.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [i3afza64i0eora71czue9hv17bhf09wbm37yz41jxa13947] C:\WINDOWS\TEMP\wbsshd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nn0ttq8pfr5kxl5hh] C:\WINDOWS\TEMP\wnao9i2c35.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [omir23zyoyj7tqot3fy7l3j3flppproqbzteyi] C:\WINDOWS\TEMP\hnkr35c35o.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [v9hd226rtvk] C:\WINDOWS\TEMP\llz5u82.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [qa1wecheqgrgj1rff6z5bx01cvaav1mdwkf62vw5fdww8tzlg] C:\WINDOWS\TEMP\edeoo6xl740s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [yxfmr15af3lqw4ioykuw2izy4qgm7e3cel2zc4z3] C:\WINDOWS\TEMP\c9o7dyy.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\plugins\Npcdp32.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail05b.shu.edu/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {596AF4AC-40A0-474A-9F86-33F0A90F0FD6} (PictureItLauncher Class) - http://photos.msn.com/resources/neutral/co...ls/DigWebX2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151449646890
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\eawdh3hbg87dkjn.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8352 bytes

Edited by Orodalf, 21 February 2009 - 02:46 PM.


BC AdBot (Login to Remove)

 


#2 Orodalf

Orodalf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 22 February 2009 - 11:05 AM

It's getting worse. After I log in, explorer.exe doesn't start, and I can't start it manually; it just gives me an error.

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:45 PM

Posted 24 February 2009 - 11:46 AM

Hello Orodalf,

I'm afraid I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware on your system. In that case, it's unfortunately a lost cause - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

Greetings,
Thunder

Edited by Thunder, 24 February 2009 - 11:48 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 Orodalf

Orodalf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 24 February 2009 - 06:19 PM

Yeah, I figured that out. Help2Go. I've also read that blog already.

And I also already reinstalled.

The problem is, I'm still infected with Virut. I only kept pictures stored on my computer, some Word Documents, and some pdfs, I believe.

I will reinstall again this weekend, without backing my stuff up.

Thanks.

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:45 PM

Posted 25 February 2009 - 04:22 AM

Hello Orodalf,

Just make sure you install and UPDATE adequate security programs before even considering restoring backed up data !!
Avira AntiVir would be my first choice, SuperAntispyware as antispyware protection to build in secundary protection.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 Orodalf

Orodalf
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 27 February 2009 - 10:51 PM

Avira AntiVir...Where do you recommend that I download it? Is it this site?

Yup, I got it.

Edited by Orodalf, 27 February 2009 - 10:54 PM.


#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:45 PM

Posted 28 February 2009 - 02:09 PM

Hello orodalf,

Too bad we couldn't help you more.

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users