Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Clean My Brother's Pc


  • This topic is locked This topic is locked
8 replies to this topic

#1 MXPilot

MXPilot

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 22 December 2006 - 02:59 AM

Here is the hijackthis log for this PC. Every link I click from the google search results gets redirected. Help!

Logfile of HijackThis v1.99.1
Scan saved at 12:32:58 AM, on 12/22/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\hjt\HijackThis.exe

R3 - URLSearchHook: (no name) - {9832C85E-7BE1-A17B-9A60-D21CED9DBABE} - wormexe.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SysSupport] AppMasterCenter.exe
O4 - HKLM\..\Run: [iesetupdll] sysmon12.exe
O4 - HKLM\..\Run: [xxtoolbar] uio.exe
O4 - HKLM\..\Run: [TForm1] ExchangeMaster.exe
O4 - HKLM\..\Run: [jbxul.exe] C:\WINDOWS\System32\jbxul.exe
O4 - HKLM\..\Run: [dmffa.exe] C:\WINDOWS\System32\dmffa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/203317682628fd...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103508562324
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A1D04B3-ADAD-4C13-B533-E87458EAA639}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4D7EE7D-11F4-4981-9477-7037F63ADF99}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A1D04B3-ADAD-4C13-B533-E87458EAA639}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A1D04B3-ADAD-4C13-B533-E87458EAA639}: NameServer = 85.255.116.26,85.255.112.104
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:49 AM

Posted 22 December 2006 - 06:30 AM

Hello,

I want you to perform some things first, because it doesn't make any sense that we try to clean up your system if nothing is preventing your system from malware being installed again.

I see no antivirus and firewall installed on your system, and I also see that your windows isn't up to date. :thumbsup:

You don't have even ServicePack1 installed! Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems... and that is the reason why you are now infected, because, when your windows was up to date, the securitypatches could prevent this.

So, what I want you to do right now is, please update your windows to SP1.
We'll get SP2 later when your system is clean again.
Visit http://windowsupdate.microsoft.com/ to update.

REBOOT afterwards.

When done, install an antivirus.

Avira, AVG OR Avast OR Active Virus Shield (uncheck the Security Toolbar during install)
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!

Uninstall Ewido, because this is an outdated version you are using. It has been updated to AVG Antispyware.

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
  • I need the log later.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {9832C85E-7BE1-A17B-9A60-D21CED9DBABE} - wormexe.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SysSupport] AppMasterCenter.exe
O4 - HKLM\..\Run: [iesetupdll] sysmon12.exe
O4 - HKLM\..\Run: [xxtoolbar] uio.exe
O4 - HKLM\..\Run: [TForm1] ExchangeMaster.exe
O4 - HKLM\..\Run: [jbxul.exe] C:\WINDOWS\System32\jbxul.exe
O4 - HKLM\..\Run: [dmffa.exe] C:\WINDOWS\System32\dmffa.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/203317682628fd...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A1D04B3-ADAD-4C13-B533-E87458EAA639}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4D7EE7D-11F4-4981-9477-7037F63ADF99}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A1D04B3-ADAD-4C13-B533-E87458EAA639}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A1D04B3-ADAD-4C13-B533-E87458EAA639}: NameServer = 85.255.116.26,85.255.112.104


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Please download FixwareOut from one of the following sites:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log and the log from AVG Antispyware
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MXPilot

MXPilot
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 23 December 2006 - 03:11 AM

Hey thanks!!

I don't know if I can do anything with the Windows that is on here. This is an old computer that was given to my brother. He lives with my parents, and they try to use this computer. They know virtually nothing about PCs. Unfortunately, I can only get here to visit once or twice a year so I am little help. Not sure I could be of any real help if I lived closer. At least I'm comfortable trying to fix it. I tried to update the windows updater and ran into some trouble with the validation or something. It seemed to hang. I don't know the integrity of what's on this PC since they didn't get any disks with it. I still did the other steps on the list though and will provide the new logs. I don't know if you can provide any further help or not, but I appreciate what you've provided so far. I understand the vulnerabilities that will still be on here, but if I can just get it so they can do the occasional Internet surfing, that'll be fine. I can't even get them to use email. At least it's not getting redirected from the Google search results any more. It's just still really, really slow.

Thanks again!!!


Logfile of HijackThis v1.99.1
Scan saved at 6:29:13 PM, on 12/22/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166821225626
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe





---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:06:16 PM 12/22/2006

+ Scan result:



C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP217\A0022153.dll -> Adware.ActivShopper : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP217\A0022156.dll -> Adware.BDE : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP217\A0022154.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP217\A0022155.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP217\A0022157.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP218\A0022197.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP218\A0022199.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP218\A0022204.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP218\A0022206.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[152] VM_003B0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[1784] VM_007B0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[1976] VM_00390000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[232] VM_008A0000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[492] VM_00D90000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
[516] VM_00F80000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\Documents and Settings\Gmanby\Cookies\gmanby@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gmanby\Cookies\gmanby@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gmanby\Cookies\gmanby@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Gmanby\Cookies\gmanby@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Gmanby\Cookies\gmanby@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Gmanby\Cookies\gmanby@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Gmanby\Cookies\gmanby@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP218\A0022200.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EEAA29DB-D14B-4C12-9C07-140E635E2E72}\RP218\A0022207.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\system32\howiper.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).


::Report end





Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="cscqs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmhjj.exe"="C:\\WINDOWS\\System32\\dmhjj.exe"
"jbjyk.exe"="C:\\WINDOWS\\System32\\jbjyk.exe"

...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}689EE9209919-366A-2594-2621-B8D1BB24{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\kyjbj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\jjhmd
...

Random Runs removed from HKLM
"jbjyk.exe"=-
"dmhjj.exe"=-
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSCQS.EXE


Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSCQS.EXE 51,200 2006-02-26
C:\WINDOWS\SYSTEM32\DMCPL.EXE 1,323,008 2003-07-28

Other suspects.
C:\WINDOWS\System32\{30F8C384-AEB4-41E2-BE4D-312901B362C6}.exe
C:\WINDOWS\System32\{65E48527-40DC-454B-B27C-478FFD15BFB9}.exe
C:\WINDOWS\System32\{693924E2-AFE4-45D3-BC9D-BD14BC301D4C}.exe
C:\WINDOWS\System32\{8D264563-C599-4D58-9233-99BE8DB76741}.exe

Misc files.

Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:49 AM

Posted 23 December 2006 - 08:45 AM

Hello,

Concerning Windows Update - if the Validation failed and you don't have any disks that came with this computer - then I guess it's not a genuine version of Windows here. And non genuine versions are not able to get fully patched.

In that case, you already know what you should buy for your brother for his birthday next year -- and that's the genuine version of Windows Vista (since it will be Windows Vista then) :thumbsup:

Anyway, your Hijackthislog looks clean again.

Browse to your C:\Windows\System32-folder and search for and delete next files if still present:

cscqs.exe
dmhjj.exe
jbjyk.exe

Then install an antivirus, because I see an Antivirus is still not present yet.

Let me know afterwards how things are running then.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 MXPilot

MXPilot
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 December 2006 - 01:34 AM

Hey, Thanks again! When I got here, the PC was a mess, the sound wasn't working, the printer wasn't working, etc. Now it seems to be serviceable.

I thought that AVG anti-spyware was also a virus scanner. I added their virus scanner also now. How does this log look?

Thanks again!!!


Logfile of HijackThis v1.99.1
Scan saved at 12:25:02 AM, on 12/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Gmanby\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166821225626
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:49 AM

Posted 26 December 2006 - 01:37 AM

Hello,

I see a clean log again. How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 MXPilot

MXPilot
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 December 2006 - 03:48 PM

Hello again,

Thanks, things seem to be OK. It just has real slow startup and shutdown time. Once it's up and running, all seems fine.

Thanks again!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:49 AM

Posted 26 December 2006 - 05:09 PM

Hi,

Good to hear everything is ok again.
The startup and shutdown delay is caused by Zonealarm - a lot of people are having this when Zonealarm installed.
If you think it's really annoying, you can try another free alternative such as Outpost or Kerio. You'll find the download location in my signature under Firewalls.

And Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:49 AM

Posted 28 December 2006 - 07:04 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users