Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log, need help


  • Please log in to reply
1 reply to this topic

#1 shino

shino

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 13 July 2005 - 04:24 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:20:23 PM, on 7/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.EXE
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\web.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\vxgame2.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\symcsvc.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\Program Files\aeta\ucsm.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\SYSTEM32\m?config.exe
C:\DOCUME~1\AGNESG~1\LOCALS~1\Temp\Rar$EX00.155\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Oowp] C:\Program Files\aeta\ucsm.exe
O4 - HKCU\..\Run: [Kbaw] C:\WINDOWS\System32\m?config.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Agnes Garcia"
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11234b1bb34966...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D2F1FA7-300C-47CF-BCEA-318BD3576E7D}: NameServer = 206.141.192.60 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D2F1FA7-300C-47CF-BCEA-318BD3576E7D}: NameServer = 206.141.192.60 206.141.193.55
O21 - SSODL: System - {11BD1F07-B7F5-4089-B62A-64AA29566A79} - vr_sys.dll (file missing)
O21 - SSODL: AddressBook - {241DA3B8-74FC-F86D-36BF-9FC8C2D82D18} - c:\progra~1\outloo~1\wintzvfh32.dll
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 15 July 2005 - 03:19 PM

Hi shino.

You have several bad files running on your system.

Please download, install, and update the free version of ewido security suite.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Click on update in the left menu, then click the Start update button.
After the update finishes, exit from ewido as it should be run in safemode.

Reboot into safemode
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Open Ewido and click on the Scanner button in the left menu, then click on complete system scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok.
When the scan finishes, click on "Save Report".

Reboot to normal mode.

Download DelDomains.inf by right clicking the following link and choose save.
http://mvps.org/winhelp2002/DelDomains.inf
Right click the DelDomains.inf file and select "install" from the menu.


Scan with hijackthis and post a fresh log.
Also post the report from ewido.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users