Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
1 reply to this topic

#1 Linda_nf

Linda_nf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 01 December 2006 - 10:30 PM

I am having a lot of trouble with my computer, here is my log file, please help me.

linda_nf@hotmail.com


Logfile of HijackThis v1.99.1
Scan saved at 11:24:13 PM, on 12/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\csrss.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\emoticon.exe
C:\Program Files\Lmod\Trqp.exe
C:\WINDOWS\System32\lass.exe
C:\WINDOWS\System32\msp32.exe
C:\WINDOWS\System32\lsx32.exe
C:\WINDOWS\System32\ntx32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wlsass.exe
C:\WINDOWS\System32\ppx32.exe
C:\WINDOWS\System32\xwin32.exe
C:\WINDOWS\System32\ywin32.exe
C:\WINDOWS\System32\mscdconf.exe
C:\WINDOWS\System32\ppl32.exe
C:\WINDOWS\System32\cd64.exe
C:\qlvfe.exe
C:\WINDOWS\System32\lss.exe
C:\windows\system32\rkdsregs.exe
C:\WINDOWS\System32\HTTP.exe
C:\WINDOWS\System32\NAMED.exe
C:\WINDOWS\System32\MS22.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\logon.exe
C:\PROGRA~1\COMMON~1\froq\froqm.exe
C:\DOCUME~1\OWNER~1.YOU\MYDOCU~1\YMBOLS~1\dllhost.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\mwinlsag.exe
C:\WINDOWS\System32\taskmgr.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\froq\froqa.exe
C:\WINDOWS\TGluZGEgUmh5bWVz\command.exe
C:\WINDOWS\fwnet64.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\MsLS32.exe
C:\WINDOWS\System32\net32a.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner.YOUR-RVLNHR6V8D\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ca7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {330987A0-3E39-4AC3-13E7-4591F9D38A9C} - C:\WINDOWS\System32\jzju.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,c:\windows\dx32cxlp.exe,
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [REGRUN] C:\emoticon.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [noC=] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Asqbdnk] C:\Program Files\Lmod\Trqp.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\System32\lass.exe
O4 - HKLM\..\Run: [msp32] C:\WINDOWS\System32\msp32.exe
O4 - HKLM\..\Run: [lsx32] C:\WINDOWS\System32\lsx32.exe
O4 - HKLM\..\Run: [ntx32] C:\WINDOWS\System32\ntx32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wlsass] C:\WINDOWS\System32\wlsass.exe
O4 - HKLM\..\Run: [ppx32] C:\WINDOWS\System32\ppx32.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [xwin32] C:\WINDOWS\System32\xwin32.exe
O4 - HKLM\..\Run: [ywin32] C:\WINDOWS\System32\ywin32.exe
O4 - HKLM\..\Run: [win32] C:\WINDOWS\System32\win32.exe
O4 - HKLM\..\Run: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\Run: [ppl32] C:\WINDOWS\System32\ppl32.exe
O4 - HKLM\..\Run: [cd64] C:\WINDOWS\System32\cd64.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\qlvfe.exe
O4 - HKLM\..\Run: [lss] C:\WINDOWS\System32\lss.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\kgxddd.exe reg_run
O4 - HKLM\..\Run: [{09-9B-BE-EA-ZN}] C:\windows\system32\rkdsregs.exe FI002
O4 - HKLM\..\Run: [msupdate] C:\WINDOWS\msupdate.exe
O4 - HKLM\..\Run: [HTTP] C:\WINDOWS\System32\HTTP.exe
O4 - HKLM\..\Run: [NAMED] C:\WINDOWS\System32\NAMED.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [MS22] C:\WINDOWS\System32\MS22.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\RunServices: [dx32serv] dx32cxlp.exe
O4 - HKLM\..\RunServices: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKLM\..\RunOnce: [msupdate] C:\WINDOWS\msupdate.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Irosj] C:\WINDOWS\System32\d?xplore.exe
O4 - HKCU\..\Run: [Microsft Computer Data Conf] mscdconf.exe
O4 - HKCU\..\Run: [froq] C:\PROGRA~1\COMMON~1\froq\froqm.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\OWNER~1.YOU\MYDOCU~1\YMBOLS~1\dllhost.exe" -vt mt
O4 - HKCU\..\Run: [msupdate] C:\WINDOWS\msupdate.exe
O4 - HKCU\..\Run: [RPCser32g1] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [RPCser32g3] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize
O4 - HKCU\..\RunOnce: [msupdate] C:\WINDOWS\msupdate.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwinlsag.exe
O4 - Global Startup: CompuServe 2000 Tray Icon.lnk = C:\Program Files\CompuServe 2000\cstray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O :thumbsup: 15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterex...artload114a.exe
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\msjpnd.dll
O20 - AppInit_DLLs:
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGluZGEgUmh5bWVz\command.exe
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MsLS32 - Unknown owner - C:\WINDOWS\MsLS32.exe
O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINDOWS\System32\net32a.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

Edited by Linda_nf, 01 December 2006 - 10:32 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:01 AM

Posted 01 December 2006 - 11:37 PM

Hello Linda_nf,

I am SifuMike and I will be helping you.

You have quite a collecion of malware on this computer. :thumbsup:

Are you running an antivirus program? I do not see any.

Before we start, you need to realise that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :flowers:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free
AntiVir or
AVG antivirus or
Avast

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

C:\Documents and Settings\Owner.YOUR-RVLNHR6V8D\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe


You need to put HijackThis into its own folder, but not a temp folder. It won't save the backups if it is run from a temporary folder, and we will be deleting the temp folder.

Please download the latest version from the following link:

HijackThis Download Site with installer
Just click on Hijackthis_sfx.exe file that you downloaded. A WinZip self extractor screen appears with the default location of C:\Program Files\Hijackthis.
Then press the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. Wait until all the scans are done before running Hijackthis.


Download ATF (Atribune Temp File) Cleanerİ by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
5. Click on "Save Report" to view all completed scans.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware 7.5

When done, submit the AVG Anti-Spyware 7.5 log  and a  fresh Hijackthis log.

Edited by SifuMike, 01 December 2006 - 11:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users