Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Help With A Big Virus Problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dragonne

Dragonne

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 11 October 2005 - 11:54 PM

Hi there, I'm a new to this computer buisness and I ended up with a lot of viruses and spyware on my computer somehow. Here's my hijack this log, please help!

Logfile of HijackThis v1.99.1
Scan saved at 11:43:18 PM, on 10/11/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\WINSHELL.EXE
C:\Program Files\crae\stab.exe
C:\WINDOWS\System32\l?ass.exe
C:\WINDOWS\System32\wuauclt.exe
A:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mymanitoba.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {ACCBB193-7457-5680-7640-2CD74F2B6597} - C:\WINDOWS\System32\imkaqu.dll
O2 - BHO: (no name) - {ACCBB5E3-7452-51F3-7631-2CD7485F6593} - C:\WINDOWS\System32\imkaqu.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRAM FILES\BARGAIN BUDDY\BIN\APUC.DLL (file missing)
O2 - BHO: Scriptlet.Tools - {EEBA788A-C268-492A-B7FE-42C2B6C553D4} - C:\WINDOWS\ALLUSE~1\APPLIC~1\Bin\bin.dll
O2 - BHO: (no name) - {F99EE0C3-7652-5286-7640-2CD74F2B63CD} - C:\WINDOWS\System32\krimj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\Run: [Microsoft sdk temp] sdktemp.exe
O4 - HKLM\..\Run: [Windows Command Prompt] WINSHELL.EXE
O4 - HKLM\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\RunServices: [Microsoft sdk temp] sdktemp.exe
O4 - HKLM\..\RunServices: [Windows Command Prompt] WINSHELL.EXE
O4 - HKCU\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKCU\..\Run: [Nhsh] "C:\Program Files\crae\stab.exe" -vt mt
O4 - HKCU\..\Run: [Zkfvjfos] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...bridge-c338.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=5056
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:16 AM

Posted 18 October 2005 - 11:08 AM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {ACCBB193-7457-5680-7640-2CD74F2B6597} - C:\WINDOWS\System32\imkaqu.dll
O2 - BHO: (no name) - {ACCBB5E3-7452-51F3-7631-2CD7485F6593} - C:\WINDOWS\System32\imkaqu.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRAM FILES\BARGAIN BUDDY\BIN\APUC.DLL (file missing)
O2 - BHO: Scriptlet.Tools - {EEBA788A-C268-492A-B7FE-42C2B6C553D4} - C:\WINDOWS\ALLUSE~1\APPLIC~1\Bin\bin.dll
O2 - BHO: (no name) - {F99EE0C3-7652-5286-7640-2CD74F2B63CD} - C:\WINDOWS\System32\krimj.dll (file missing)
O4 - HKLM\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\Run: [Microsoft sdk temp] sdktemp.exe
O4 - HKLM\..\Run: [Windows Command Prompt] WINSHELL.EXE
O4 - HKLM\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\RunServices: [Microsoft sdk temp] sdktemp.exe
O4 - HKLM\..\RunServices: [Windows Command Prompt] WINSHELL.EXE
O4 - HKCU\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKCU\..\Run: [Nhsh] "C:\Program Files\crae\stab.exe" -vt mt
O4 - HKCU\..\Run: [Zkfvjfos] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O13 - WWW. Prefix: http://
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Download...bridge-c338.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=5056

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\WINDOWS\System32\imkaqu.dll
C:\PROGRAM FILES\BARGAIN BUDDY\
C:\WINDOWS\ALLUSERS\APPLICATION DATA\Bin\bin.dll
C:\WINDOWS\System32\krimj.dll
c:\windows\system32\sdktemp.exe
c:\windows\system32\WINSHELL.EXE
C:\Program Files\crae\stab.exe
c:\windows\system32\winsN2S.exe

Reboot your computer to go back to normal mode and post a new log.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:16 AM

Posted 14 November 2005 - 10:48 AM

Due to inactivity this topic is closed. If you need to reopen this topic, please contact a moderator and they will do so.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users