Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need Some Serious Help, I Have A Hijackthis Log But Other Than That I Don't Know What To Do


  • Please log in to reply
3 replies to this topic

#1 BryanBradshaw

BryanBradshaw

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 28 December 2006 - 12:19 PM

Ok, my computer runs really slow, it won't load up all the time, some of the sign in names on it won't work all the time, or even half the time. Some of the programs i have won't run period. So I'd appriciate it if someone could tell me what to do cause this sucks. Thanks a bunch!


Logfile of HijackThis v1.99.1
Scan saved at 9:17:40 AM, on 12/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchosts.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearflix.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\csjkm.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,moqowld.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{382C1~1\Bar888.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\bearflix.exe" /pause
O4 - HKLM\..\Run: [winclean] c:\windows\system32\winclean.exe
O4 - HKLM\..\Run: [tysvkbqA] C:\WINDOWS\tysvkbqA.exe
O4 - HKLM\..\Run: [win3208913710640] C:\WINDOWS\win3208913710640.exe
O4 - HKLM\..\Run: [obtwzjg] c:\windows\system32\obtwzjg.exe obtwzjg
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [dmqzc.exe] C:\WINDOWS\System32\dmqzc.exe
O4 - HKLM\..\Run: [kbwxme] C:\WINDOWS\System32\ljsgmg.exe reg_run
O4 - HKLM\..\Run: [{082C13E9-03E5-1033-1009-010109200001}] "C:\Program Files\Common Files\{082C13E9-03E5-1033-1009-010109200001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [hxeyn] C:\WINDOWS\System32\ljsgmg.exe reg_run
O4 - HKCU\..\Run: [obtwzjg] c:\windows\system32\obtwzjg.exe obtwzjg
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - Global Startup: dqehs.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: Win32 Classes -
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 85.255.115.46,85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: pGQQRiq - {082C13EA-A286-B940-716C-29F44DAC0CC7} - C:\WINDOWS\System32\qncif.dll (file missing)
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - C:\WINDOWS\System32\cthkpcv.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\BRYANR~1\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 December 2006 - 01:32 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout

http://downloads.subratam.org/Fixwareout.exe
or
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack
Fix these with HJT mark them, close IE, click fix checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 85.255.115.46,85.255.112.154

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154

O17 - HKLM\System\CS1\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 85.255.115.46,85.255.112.154

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154

O17 - HKLM\System\CS2\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 85.255.115.46,85.255.112.154

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.154



If you have connection problems after this

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Hilight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

* Go to Start > Run and type in cmd
Click OK.
This will open a commad prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns
Hit Enter
Exit the command window

Do that before you restart.

=============
At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

==================================
If you get an Autoexec nt error do the following

XP Fix - http://www.visualtour.com/downloads/

Scroll down to get XP Fix

And run FixWareout again.



=========================
1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall

==================================
Download Superantispyware

http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
Please paste that information here for me with a new HijackThis log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 BryanBradshaw

BryanBradshaw
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 28 December 2006 - 04:13 PM

ok, skight problem with all that...when i booted my comp up to come check this it said that some windows files had been replaced with unknown versions or something, and after i close the window nothing happens. I can see my desktop background, but i have no icons or start menu. I can[t even rightclick on the desktop for properties. The only reason i can even do anything now is because i used task manager to run program firefox......so when i rebooted after running the first program i didn't get any prompts...sorry lol. And i also don't
have a windows cd......is there any way to fix this?

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 December 2006 - 04:22 PM

I have no idea what you just said -

Did you run any of the tools

run all of the tools and then post a new hijack log and any of the other logs I requested


Do this also


You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users