Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
4 replies to this topic

#1 genathai

genathai

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 04 September 2006 - 12:08 AM

(Moderator edit: log post moved to HJT log Forum for team analysis and member assistance. Enthusiast)

Logfile of HijackThis v1.99.1
Scan saved at 1:00:53 AM, on 9/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\srvany.exe
D:\WINDOWS\system32\resetservice.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\dllhost.exe
D:\WINDOWS\System32\msdtc.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\BroadJump\Client Foundation\CFD.exe
D:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
D:\WINDOWS\system32\freecell.exe
C:\Program Files\AT&T\WnClient\Programs\ARUpld32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\DOCUME~1\Joe\LOCALS~1\Temp\Rar$EX00.702\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - D:\WINDOWS\System32\fgxer.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Daily Weather Forecast] D:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [exe.wwdmd] D:\WINDOWS\System32\dmdww.exe
O4 - HKLM\..\Run: [exe.mpkmd] D:\WINDOWS\System32\dmkpm.exe
O4 - HKLM\..\Run: [exe.rrrmd] D:\WINDOWS\System32\dmrrr.exe
O4 - HKLM\..\Run: [exe.rxrmd] D:\WINDOWS\System32\dmrxr.exe
O4 - HKLM\..\Run: [exe.xuzmd] D:\WINDOWS\System32\dmzux.exe
O4 - HKLM\..\Run: [exe.ccumd] D:\WINDOWS\System32\dmucc.exe
O4 - HKLM\..\Run: [exe.rrzmd] D:\WINDOWS\System32\dmzrr.exe
O4 - HKLM\..\Run: [exe.orcmd] D:\WINDOWS\System32\dmcro.exe
O4 - HKLM\..\Run: [exe.einmd] D:\WINDOWS\System32\dmnie.exe
O4 - HKLM\..\Run: [exe.nuomd] D:\WINDOWS\System32\dmoun.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [exe.ajkmd] D:\WINDOWS\System32\dmkja.exe
O4 - HKLM\..\Run: [exe.aksmd] D:\WINDOWS\System32\dmska.exe
O4 - HKLM\..\Run: [exe.kdjmd] D:\WINDOWS\System32\dmjdk.exe
O4 - HKLM\..\Run: [exe.xwwmd] D:\WINDOWS\System32\dmwwx.exe
O4 - HKLM\..\Run: [exe.htcmd] D:\WINDOWS\System32\dmcth.exe
O4 - HKLM\..\Run: [exe.flwmd] D:\WINDOWS\System32\dmwlf.exe
O4 - HKLM\..\Run: [exe.ipgmd] D:\WINDOWS\System32\dmgpi.exe
O4 - HKLM\..\Run: [exe.qhlmd] D:\WINDOWS\System32\dmlhq.exe
O4 - HKLM\..\Run: [exe.qzcmd] D:\WINDOWS\System32\dmczq.exe
O4 - HKLM\..\Run: [exe.qlimd] D:\WINDOWS\System32\dmilq.exe
O4 - HKLM\..\Run: [exe.zrsmd] D:\WINDOWS\System32\dmsrz.exe
O4 - HKLM\..\Run: [exe.mchmd] D:\WINDOWS\System32\dmhcm.exe
O4 - HKLM\..\Run: [exe.cusmd] D:\WINDOWS\System32\dmsuc.exe
O4 - HKLM\..\Run: [exe.enkmd] D:\WINDOWS\System32\dmkne.exe
O4 - HKLM\..\Run: [exe.pplmd] D:\WINDOWS\System32\dmlpp.exe
O4 - HKLM\..\Run: [exe.nijmd] D:\WINDOWS\System32\dmjin.exe
O4 - HKLM\..\Run: [exe.urymd] D:\WINDOWS\System32\dmyru.exe
O4 - HKLM\..\Run: [exe.genmd] D:\WINDOWS\System32\dmneg.exe
O4 - HKLM\..\Run: [exe.mgymd] D:\WINDOWS\System32\dmygm.exe
O4 - HKLM\..\Run: [exe.kaxmd] D:\WINDOWS\System32\dmxak.exe
O4 - HKLM\..\Run: [exe.spfmd] D:\WINDOWS\System32\dmfps.exe
O4 - HKLM\..\Run: [exe.unymd] D:\WINDOWS\System32\dmynu.exe
O4 - HKLM\..\Run: [exe.ldkmd] D:\WINDOWS\System32\dmkdl.exe
O4 - HKLM\..\Run: [exe.ktymd] D:\WINDOWS\System32\dmytk.exe
O4 - HKLM\..\Run: [exe.uzvmd] D:\WINDOWS\System32\dmvzu.exe
O4 - HKLM\..\Run: [exe.niomd] D:\WINDOWS\System32\dmoin.exe
O4 - HKLM\..\Run: [exe.rsvmd] D:\WINDOWS\System32\dmvsr.exe
O4 - HKLM\..\Run: [exe.wbwmd] D:\WINDOWS\System32\dmwbw.exe
O4 - HKLM\..\Run: [exe.rnpmd] D:\WINDOWS\System32\dmpnr.exe
O4 - HKLM\..\Run: [exe.nzkmd] D:\WINDOWS\System32\dmkzn.exe
O4 - HKLM\..\Run: [exe.udgmd] D:\WINDOWS\System32\dmgdu.exe
O4 - HKLM\..\Run: [exe.xylmd] D:\WINDOWS\System32\dmlyx.exe
O4 - HKLM\..\Run: [exe.ovpmd] D:\WINDOWS\System32\dmpvo.exe
O4 - HKLM\..\Run: [exe.itdmd] D:\WINDOWS\System32\dmdti.exe
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113511066822
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EBEB5FB-97AA-41E1-9377-8A3D0F0A7E1C}: NameServer = 204.127.129.4 12.102.244.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{80099366-DBB4-4510-9929-98981B05A685}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{8053B351-9058-483B-B32A-D1C14CF66D4D}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FEFE911-3181-4581-9C2E-30441F2ACAF0}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8F6C34D-A248-46CA-B10E-8C4725DC9C71}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA11F556-62C4-4605-8733-8800DC5727E4}: NameServer = 85.255.113.141,85.255.112.216
O20 - Winlogon Notify: reset5 - D:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Reset 5 - Unknown owner - D:\WINDOWS\system32\srvany.exe

Edited by Enthusiast, 04 September 2006 - 06:10 AM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:10 PM

Posted 05 September 2006 - 04:40 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run from a temp directory.
  • Download and run the HijackThis autoinstall program
  • Please choose the default location of C:\Program Files as the destination.
  • Run the program only from that location from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.
=========



Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 genathai

genathai
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 05 September 2006 - 11:35 PM

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\pgtshlld
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nidnsdr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23naelch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\aplnsftn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23rtcdaol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\fvtmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\zncmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\pgtshlld
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nidnsdr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23naelch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ytpme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eilcctrec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ifpnxesm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\aplnsftn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23rtcdaol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\dnerkbrgfc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"exe.wwdmd"=-
"exe.mpkmd"=-
"exe.rrrmd"=-
"exe.rxrmd"=-
"exe.xuzmd"=-
"exe.ccumd"=-
"exe.rrzmd"=-
"exe.orcmd"=-
"exe.einmd"=-
"exe.nuomd"=-
"exe.ajkmd"=-
"exe.aksmd"=-
"exe.kdjmd"=-
"exe.xwwmd"=-
"exe.htcmd"=-
"exe.flwmd"=-
"exe.ipgmd"=-
"exe.qhlmd"=-
"exe.qzcmd"=-
"exe.qlimd"=-
"exe.zrsmd"=-
"exe.mchmd"=-
"exe.cusmd"=-
"exe.enkmd"=-
"exe.pplmd"=-
"exe.nijmd"=-
"exe.urymd"=-
"exe.genmd"=-
"exe.mgymd"=-
"exe.kaxmd"=-
"exe.spfmd"=-
"exe.unymd"=-
"exe.ldkmd"=-
"exe.ktymd"=-
"exe.uzvmd"=-
"exe.niomd"=-
"exe.rsvmd"=-
"exe.wbwmd"=-
"exe.rnpmd"=-
"exe.nzkmd"=-
"exe.udgmd"=-
"exe.xylmd"=-
"exe.ovpmd"=-
"exe.itdmd"=-
"exe.msrmd"=-
"exe.lycmd"=-
"exe.zncmd"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...
* csr.exe D:\WINDOWS\System32\CSLNF.EXE


Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
D:\WINDOWS\SYSTEM32\CSLNF.EXE 51,294 2006-04-04
D:\WINDOWS\SYSTEM32\DMCNZ.EXE 51,260 2002-10-25

Other suspects.
Directory of D:\WINDOWS\system32

Misc files.

Checking for older varients covered by the Rem3 tool.


Logfile of HijackThis v1.99.1
Scan saved at 12:33:34 AM, on 9/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\system32\srvany.exe
D:\WINDOWS\system32\resetservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\BroadJump\Client Foundation\CFD.exe
D:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE
D:\WINDOWS\system32\freecell.exe
C:\Program Files\AT&T\WnClient\Programs\ARUpld32.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Daily Weather Forecast] D:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113511066822
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EBEB5FB-97AA-41E1-9377-8A3D0F0A7E1C}: NameServer = 204.127.160.3 12.102.240.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{80099366-DBB4-4510-9929-98981B05A685}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{8053B351-9058-483B-B32A-D1C14CF66D4D}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FEFE911-3181-4581-9C2E-30441F2ACAF0}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8F6C34D-A248-46CA-B10E-8C4725DC9C71}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA11F556-62C4-4605-8733-8800DC5727E4}: NameServer = 85.255.113.141,85.255.112.216
O20 - Winlogon Notify: reset5 - D:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe
O23 - Service: Reset 5 - Unknown owner - D:\WINDOWS\system32\srvany.exe

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:10 PM

Posted 06 September 2006 - 03:09 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O17 - HKLM\System\CCS\Services\Tcpip\..\{80099366-DBB4-4510-9929-98981B05A685}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{8053B351-9058-483B-B32A-D1C14CF66D4D}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FEFE911-3181-4581-9C2E-30441F2ACAF0}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8F6C34D-A248-46CA-B10E-8C4725DC9C71}: NameServer = 85.255.113.141,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA11F556-62C4-4605-8733-8800DC5727E4}: NameServer = 85.255.113.141,85.255.112.216



===========================


Now lets check some settings on your system.
  • Enter your Control Panel and double-click on Network Connections
  • Then right click on your Default Connection
    • Usually Local Area Connection for Cable and DSL
  • Left click on Properties
  • Double-Click on the Internet Protocol (TCP/IP) item
  • Select the radio dial that says Obtain DNS Servers Automatically
  • Press OK twice to get out of the properties screen and reboot if it asks
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)



============================


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:10 PM

Posted 21 September 2006 - 04:44 PM

Unfortunately there has been no response, and this thread will now be closed. :thumbsup:

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users