Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log... Can Not Get Online


  • Please log in to reply
2 replies to this topic

#1 rc11982

rc11982

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 26 May 2007 - 06:02 PM

Hello

My Cpu got infected by a lot of spyware and adware I ran my normal Anti-pyware and virus scans... it got rid of them then a few hours later I got online and all kinds of programs started to run by themself...and it is infected again. after this I have not been able to get online. I ran Avg anti virus got rid of the files and now I get a Winflyer error and still can not get online. Please help. BElow is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 3:51:54 PM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SCURIT~1\javaw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {1A1D1FAD-CD3B-4639-A1BE-9F999B2A3525} - C:\WINDOWS\system32\pmnkh.dll (file missing)
O2 - BHO: (no name) - {34EAA210-4383-3D0B-A34A-1BE34891F2C8} - C:\WINDOWS\system32\kmfvt.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: 0 - {A6BFFBF9-5874-464E-38AD-EE2A69B33E28} - C:\Program Files\ComPlus Applications\wogu351.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {b9bec770-1f56-4b88-bd2d-57de78969722} - C:\WINDOWS\system32\IPXcui.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: (no name) - {F22DD09B-4C45-4FB2-B355-1FC830833D11} - C:\WINDOWS\system32\urspn.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [qwertybot.exe] C:\WINDOWS\system32\qwertybot.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vexg6ame4.exe
O4 - HKCU\..\Run: [Pcsb] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Ocuo] "C:\PROGRA~1\COMMON~1\SCURIT~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\winhealer.dll' missing
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pesd.ad
O17 - HKLM\Software\..\Telephony: DomainName = pesd.ad
O17 - HKLM\System\CCS\Services\Tcpip\..\{13908098-3EDA-411F-802F-415B37E828EB}: NameServer = 203.146.0.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{B385A62F-D436-435B-8473-8EC04A06F93A}: NameServer = 203.146.0.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{E654E750-2A9C-481C-AEF4-8FAFAA134E45}: NameServer = 203.146.0.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pesd.ad
O17 - HKLM\System\CS1\Services\Tcpip\..\{13908098-3EDA-411F-802F-415B37E828EB}: NameServer = 203.146.0.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pesd.ad
O17 - HKLM\System\CS2\Services\Tcpip\..\{13908098-3EDA-411F-802F-415B37E828EB}: NameServer = 203.146.0.20
O20 - AppInit_DLLs:
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IPXcui - C:\WINDOWS\SYSTEM32\IPXcui.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pmnkh - C:\WINDOWS\system32\pmnkh.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwem32 - winwem32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: zWmUVVm - {244D4C97-8EE7-E63D-517C-01DE5BBCA91D} - C:\WINDOWS\system32\uvv.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 27 May 2007 - 08:46 AM

Hello and welcome to the forum :thumbsup:

I would like to take a look at this log for you and will get back to you as soon as I can.

Thank You.

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 03 June 2007 - 12:38 PM

Hello rc11982

I think I can see the problem why you can't get online, I would like you to run a few 'Tools' for me first.

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Step 1

Please download LSPfix. from a clean system that has access to the Internet.

Unzip it to the desktop of the infected machine and run it. Check "I know what I'm doing",
and then select each instance of winhealer.dll in the left-hand panel
and click >> to move it to the right-hand panel.

Then click Finish to allow LSPfix to rebuild the LSP chain.


Step 2

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please now reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt


Step 3

Now Update AVG Anti-Spyware 7.5
click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close AVG AS.
Note: If you have any problems with the updater, you can Update AVG Anti-Spyware 7.5 Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Reopen AVG Anti-Spyware 7.5 and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the AVG Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode


Step 4

Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will reboot your computer,
    click OK.
  • Please post the contents of C:\vundofix.txt in your next reply
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
when VundoFix appears at reboot.


Step 5

Download DelDomains.zip and unzip it to your desktop.
Ensure ALL Internet Explorer windows are closed.
Right click the DelDomains.inf file inside and click "Install"
You won't see anything happen, it performs a silent process.

Note - if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford.
For SpywareBlaster, run the program and 're-enable all protection'.
For IE/Spyads, run the batch file and reinstall the protection.
Spybot's Immunize feature must be used again.


In your next reply please post:

A new HijackThis log
The SDFix Report.txt
The C:\vundofix.txt
The AVG Anti-Spyware 7.5 Report-Scan.txt

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users