Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Please


  • This topic is locked This topic is locked
9 replies to this topic

#1 Mandy1G

Mandy1G

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 11 December 2006 - 10:04 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:50:06 PM, on 12/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\msndn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system\winlogin.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\PROGRA~1\COMMON~1\AOL\115000~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\115000~1\EE\AOLServiceHost.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gkvammx.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150004063\EE\AOLHostManager.exe
O4 - HKLM\..\RunServices: [Microsoft Configure12] msoftconf12.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\Run: [dmbnhp] C:\WINDOWS\System32\dmbnhp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm159YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB3DC848-18B4-44C2-A726-A8D0657035DB}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: inicfg32.dll,
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft Networks DN (msndn) - Unknown owner - C:\WINDOWS\msndn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Winlogin messenger - Unknown owner - C:\WINDOWS\system\winlogin.exe

BC AdBot (Login to Remove)

 


m

#2 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:13 PM

Posted 12 December 2006 - 07:00 AM

Heya :thumbsup:

You got a few infections there. This is mainly because you are not running any anti-virus / firewall software. I suggest you download and install Zone alarm and AVG Anti-virus. They are both free and good.

Next, please move hijackthis.exe into its own, separate folder (ex : C:\hijackthis\)

Go to start > control Panel > add/remove programs and uninstall everything related to : Media Access and MyWebSearch

Please download Qoofix 1.02 from this page:
http://www.malwarebytes.org/qoofix.php

Unzip to a convenient location such as C:\Qoofix.
Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe.
Finally, select Begin Removal and the removal process will commence.
A reboot may be necessary if an infection is found.
Your log from this tool will be located at C:\Qoofix\Qoofix Logfile.txt
Copy and paste the contents of that report into your next reply here.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Don't forget to post both of the logs generate by the Qoofix tool and the Sdfix one.

#3 Mandy1G

Mandy1G
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 13 December 2006 - 05:45 AM

YounGun


As per your instructions when I tried to go into safe mode I got the blue screen. The screen stated
Registry_Error and the technical information is as follows Stop: 0x00000051 (0x00000004,0x00000001,
0xe14a5e60,0x007c8460). I tried to do a windows repair and it failed. It stated (missing or corrupt)
sysytem32\drivers\ntfs.sys . Don't know what to do next. The Qoofix log was clean.



Mandy1G

#4 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:13 PM

Posted 13 December 2006 - 09:18 AM

You got the error before or after running SDfix?

#5 Mandy1G

Mandy1G
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 13 December 2006 - 01:19 PM

Hi YounGun


It was before SDFix, was going into safe mode to get ready to run SDFix. Just to add to my reply of earlier, I did try to start up with last known good config. That did'nt help either.


Mandy1G

#6 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:13 PM

Posted 13 December 2006 - 01:40 PM

ok, let's try a different approach :

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

#7 Mandy1G

Mandy1G
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 13 December 2006 - 03:28 PM

YounGun



My computer will not start windows, I get the blue screen as I stated in the other post. I'm
using a friends computer to post these. How do I get windows to start, getting pass the blue screen of death as they like to call it.


Mandy1G

#8 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:13 PM

Posted 14 December 2006 - 04:59 PM

Seems that we have run into a little problem, let's try the following:
  • Boot computer with the Windows XP CD-ROM in the CD-ROM drive.
  • To repair a Windows XP installation using Recovery Console, press R.
  • At the command prompt, type the following commands:-

    cd \windows\system32\drivers [Press the ENTER Key]

    ren ntfs.sys ntfs.old [Press the ENTER Key]

    If the ntfs.sys file is there and corrupt it will rename it. If it is not there then it was missing.
  • At the command prompt, type the following command, and then press ENTER:
    copy X:\i386\ntfs.sys drive:\windows\system32\drivers [Where X=CD-ROM Drive]
  • Remove the Windows XP CD from CD-ROM drive, type quit, and then
    press ENTER to quit the Recovery Console.
  • Restart the system.

Edited by YounGun, 14 December 2006 - 05:00 PM.


#9 Mandy1G

Mandy1G
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 15 December 2006 - 03:31 AM

Hi YounGun

I will do the the above sat. and get back with you. I'll post all log files for you to look over.

Thanks
Mandy1G

#10 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:13 PM

Posted 08 January 2007 - 07:04 AM

Due to lack of feedback I'm locking this topic.

If you ever should need it re-opened, please send me a PM.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users