DaniWeb IT Discussion Community
1 2
Show 40 post(s) from this thread on one page

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   HJT log (http://www.daniweb.com/forums/thread117312.html)

ownedswax Apr 3rd, 2008 11:30 pm
HJT log
 
My friend has been expierencing some small problems on his computer, you guys have been extermely helpful in the past and if someone could help me claen up this HJT log that would be great! Thank you in advance!

C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\brvrav32.exe
O4 - HKLM\..\Run: [7090a8c9] rundll32.exe "C:\WINDOWS\system32\scurhsrb.dll",b
O4 - HKLM\..\Run: [BM73a39b55] Rundll32.exe "C:\WINDOWS\system32\mgybmtfn.dll",s
O4 - HKLM\..\RunServices: [SystemTools32] C:\WINDOWS\system32\inet.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\brvrav32.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\WINDOWS\system32\brvrav32.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: fqllbfjmzuak (arpsdwzt5) - Unknown owner - C:\WINDOWS\system32\buwwnuul5.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7269 bytes

crunchie Apr 4th, 2008 7:08 am
Re: HJT log
 
You have posted enough logs to know that that one is incomplete. Please post the complete log.
Also, you have a history here of not seeing your threads out to the end. http://www.daniweb.com/forums/search2764611.html If you want help, then you must follow through and not waste all our helpers time.

============

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log

==

Post your SDFix within code tags please.

ownedswax Apr 8th, 2008 9:15 pm
Re: HJT log
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:12 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:..WINDOWS..System32..smss.exe
C:..WINDOWS..system32..winlogon.exe
C:..WINDOWS..system32..services.exe
C:..WINDOWS..system32..lsass.exe
C:..WINDOWS..system32..svchost.exe
C:..WINDOWS..System32..svchost.exe
C:..WINDOWS..system32..svchost.exe
C:..Program Files..Common Files..iS3..Anti-Spyware..SZServer.exe
C:..WINDOWS..Explorer.EXE
C:..WINDOWS..system32..spoolsv.exe
C:..Program Files..Common Files..Apple..Mobile Device Support..bin..AppleMobileDeviceService.exe
C:..Program Files..Bonjour..mDNSResponder.exe
C:..Program Files..Common Files..New Boundary..PrismXL..PRISMXL.SYS
C:..WINDOWS..system32..svchost.exe
C:..Program Files..Viewpoint..Common..ViewpointService.exe
C:..Program Files..Linksys Wireless-G USB Wireless Network Monitor..WLService.exe
C:..Program Files..Linksys Wireless-G USB Wireless Network Monitor..WUSB54Gv2.exe
C:..Program Files..Viewpoint..Viewpoint Manager..ViewMgr.exe
C:..Program Files..STOPzilla!..STOPzilla.exe
C:..Program Files..Digital Media Reader..shwiconem.exe
C:..WINDOWS..system32..spool..drivers..w32x86..3..hpztsb09.e
xe
C:..Program Files..Common Files..Real..Update_OB..realsched.exe
C:..Program Files..Java..jre1.5.0_03..bin..jusched.exe
C:..Program Files..BroadJump..Client Foundation..CFD.exe
C:..Program Files..Linksys Wireless-G USB Wireless Network Monitor..InfoMyCa.exe
C:..Program Files..Java..jre1.5.0_03..bin..jucheck.exe
C:..Program Files..Uniblue..RegistryBooster 2..RegistryBooster.exe
C:..Program Files..Mozilla Firefox..firefox.exe
C:..Documents and Settings..Owner..Desktop..HijackThis.exe

R0 - HKCU..Software..Microsoft..Internet Explorer..Main,Start Page = http://www. myspace. com/
R1 - HKLM..Software..Microsoft..Internet Explorer..Main,Default_Page_URL = http://go. microsoft. com/fwlink/?LinkId=69157
R1 - HKLM..Software..Microsoft..Internet Explorer..Main,Default_Search_URL = http://go. microsoft. com/fwlink/?LinkId=54896
R1 - HKLM..Software..Microsoft..Internet Explorer..Main,Search Bar = http://red. clientapps. yahoo. com/customize/ie/defaults/sb/sbcydsl. r{}*http://yahoo. sbc. com/dsl
R0 - HKCU..Software..Microsoft..Internet Explorer..Main,Local Page = C:..WINDOWS..about.htm
R1 - HKCU..Software..Microsoft..Windows..CurrentVersion..Internet
Settings,ProxyOverride = 127. 0. 0. 1;*.local
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:..Program Files..STOPzilla!..SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:..Program Files..STOPzilla!..SZSG.dll
O4 - HKLM......Run: [SunKistEM] C:..Program Files..Digital Media Reader..shwiconem.exe
O4 - HKLM......Run: [HPDJ Taskbar Utility] C:..WINDOWS..system32..spool..drivers..w32x86..3..hpztsb09.e
xe
O4 - HKLM......Run: [TkBellExe] "C:..Program Files..Common Files..Real..Update_OB..realsched.exe" -osboot
O4 - HKLM......Run: [SunJavaUpdateSched] C:..Program Files..Java..jre1.5.0_03..bin..jusched.exe
O4 - HKLM......Run: [BJCFD] C:..Program Files..BroadJump..Client Foundation..CFD.exe
O4 - HKLM......Run: [WUSB54Gv2] C:..Program Files..Linksys Wireless-G USB Wireless Network Monitor..InvokeSvc3.exe
O4 - HKLM......Run: [QuickTime Task] "C:..Program Files..QuickTime..qttask.exe" -atboottime
O4 - HKLM......Run: [BM73a39b55] Rundll32.exe "C:..WINDOWS..system32..euotbymp.dll",s
O4 - HKCU......Run: [Uniblue RegistryBooster 2] C:..Program Files..Uniblue..RegistryBooster 2..RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:..PROGRA~1..MICROS~4..OFFICE11..EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:..WINDOWS..system32..msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:..WINDOWS..system32..msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:..PROGRA~1..MICROS~4..OFFICE11..REFIEBAR.DLL
O9 - Extra button: Real. com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:..WINDOWS..system32..Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:..Program Files..Messenger..msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:..Program Files..Messenger..msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go. microsoft. com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads. myspace. com/upload/MySpaceUploader1006. cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www. sibelius. com/download/software/win/ActiveXPlugin. cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn. digitalcity. com/radio/ampx/ampx2. 6. 1. 11_en_dl. cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl. stream. aol. com/downloads/aol/unagi/ampx_en_dl. cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:..Program Files..Common Files..Apple..Mobile Device Support..bin..AppleMobileDeviceService.exe
O23 - Service: fqllbfjmzuak (arpsdwzt5) - Unknown owner - C:..WINDOWS..system32..buwwnuul5.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762&#0
35;# (Bonjour Service) - Apple Computer, Inc. - C:..Program Files..Bonjour..mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:..Program Files..Common Files..Macrovision Shared..FLEXnet Publisher..FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:..Program Files..Common Files..InstallShield..Driver..11..Intel 32..IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:..Program Files..iPod..bin..iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:..Program Files..Intel..NCS..Sync..NetSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:..Program Files..Common Files..New Boundary..PrismXL..PRISMXL.SYS
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:..Program Files..Common Files..iS3..Anti-Spyware..SZServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:..Program Files..Viewpoint..Common..ViewpointService.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:..Program Files..Linksys Wireless-G USB Wireless Network Monitor..WLService.exe

--
End of file - 6657 bytes





SDFix: Version 1.167 

Run by Owner on Tue 04/08/2008 at 06:56 PM



Microsoft Windows XP [Version 5.1.2600]

Running From: C:..DOCUME~1..Owner..MYDOCU~1..Unzipped..SDFix..SDFix



Checking Services :



Name:

mqzprwe



Path:

..??..C:..WINDOWS..mqzprwe.log 



mqzprwe - Deleted







Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Missing SharedAccess Service 



Rebooting





Checking Files : 



Trojan Files Found:



C:..WINDOWS..SYSTEM32..CP.EXE - Deleted

C:..188852~1 - Deleted

C:..ILRIUPF.EXE - Deleted

C:..d.exe - Deleted

C:..WINDOWS..browser.exe - Deleted

C:..WINDOWS..system32..brvrav32.exe - Deleted

C:..WINDOWS..system32..web.dat - Deleted

C:..WINDOWS..mqzprwe.log - Deleted











Removing Temp Files



ADS Check :







Final Check :



catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www. gmer. net

Rootkit scan 2008-04-08 19:43:51

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden services & system hive ...



[HKEY_LOCAL_MACHINE..SYSTEM..controlset001..control..Class..

{4D36E965-E325-11CE-BFC1-08002BE10318}..Properties]

"DeviceType"=dword:00000002

"DeviceCharacteristics"=dword:00000100

[HKEY_LOCAL_MACHINE..SYSTEM..controlset001..control..Class..

{4D36E967-E325-11CE-BFC1-08002BE10318}..Properties]

"DeviceType"=dword:00000007

"DeviceCharacteristics"=dword:00000100

[HKEY_LOCAL_MACHINE..SYSTEM..controlset001..control..Class..

{4D36E968-E325-11CE-BFC1-08002BE10318}..Properties]

"DeviceType"=dword:00000023

"DeviceCharacteristics"=dword:00000100

[HKEY_LOCAL_MACHINE..SYSTEM..controlset001..control..Class..

{4D36E969-E325-11CE-BFC1-08002BE10318}..Properties]

"DeviceType"=dword:00000004

"DeviceCharacteristics"=dword:00000100

[HKEY_LOCAL_MACHINE..SYSTEM..controlset001..control..Class..

{4D36E96A-E325-11CE-BFC1-08002BE10318}..Properties]

"DeviceType"=dword:00000004

"DeviceCharacteristics"=dword:00000100

[HKEY_LOCAL_MACHINE..SYSTEM..controlset001..control..Class..

{4D36E97B-E325-11CE-BFC1-08002BE10318}..Properties]

"DeviceType"=dword:00000004

"DeviceCharacteristics"=dword:00000100

[HKEY_LOCAL_MACHINE..SYSTEM..controlset001..control..Class..

{4D36E980-E325-11CE-BFC1-08002BE10318}..Properties]

"DeviceType"=dword:00000007

"DeviceCharacteristics"=dword:00000100

[HKEY_LOCAL_MACHINE..SYSTEM..controlset001..Services..MRxDAV

..EncryptedDirectories]

@=""

[HKEY_LOCAL_MACHINE..SYSTEM..ControlSet004..services..MRxDAV

..EncryptedDirectories]

@=""

[HKEY_LOCAL_MACHINE..SYSTEM..CurrentControlSet..services..MR

xDAV..EncryptedDirectories]

@=""



scanning hidden registry entries ...



scanning hidden files ...



scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0





Remaining Services :







Authorized Application Key Export:



[HKEY_LOCAL_MACHINE..system..currentcontrolset..services..sh

aredaccess..parameters..firewallpolicy..standardprofile..authorizedapp

lications..list]

"%windir%....system32....sessmgr.exe"="%windir%....system32.

...sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:....Program Files....Bonjour....mDNSResponder.exe"="C:....Program Files....Bonjour....mDNSResponder.exe:*:Enabled:Bonjour"

"C:....Program Files....Steam....SteamApps....ssvenomx26....counter-strike.

...hl.exe"="C:....Program Files....Steam....SteamApps....ssvenomx26....counter-strike.

...hl.exe:*:Enabled:Half-Life Launcher"

"C:....Program Files....HLSW....hlsw.exe"="C:....Program Files....HLSW....hlsw.exe:*:Enabled:hlsw"

"C:....Program Files....mIRC....mirc.exe"="C:....Program Files....mIRC....mirc.exe:*:Enabled:mIRC"

"C:....Program Files....LimeWire....LimeWire.exe"="C:....Program Files....LimeWire....LimeWire.exe:*:Enabled:LimeWire"

"C:....Program Files....AIM6....aim6.exe"="C:....Program Files....AIM6....aim6.exe:*:Enabled:AIM"

"C:....Program Files....Steam....SteamApps....nikenoah....counter-strike...

.hl.exe"="C:....Program Files....Steam....SteamApps....nikenoah....counter-strike...

.hl.exe:*:Enabled:Half-Life Launcher"

"C:....Program Files....Steam....SteamApps....ssvenomx26....day of defeat....hl.exe"="C:....Program Files....Steam....SteamApps....ssvenomx26....day of defeat....hl.exe:*:Enabled:Half-Life Launcher"

"C:....Program Files....Pando Networks....Pando....pando.exe"="C:....Program Files....Pando Networks....Pando....pando.exe:*:Enabled:Pando Application"

"C:....Program Files....Warcraft III Demo....War3Demo.exe"="C:....Program Files....Warcraft III Demo....War3Demo.exe:*:Enabled:Warcraft III Demo"

"C:....Program Files....Warcraft III....Warcraft III.exe"="C:....Program Files....Warcraft III....Warcraft III.exe:*:Enabled:Warcraft III"

"C:....Program Files....uTorrent....uTorrent.exe"="C:....Program Files....uTorrent....uTorrent.exe:*:Enabled:µTorrent"



[HKEY_LOCAL_MACHINE..system..currentcontrolset..services..sh

aredaccess..parameters..firewallpolicy..domainprofile..authorizedappli

cations..list]

"C:....Program Files....MSN Messenger....msnmsgr.exe"="C:....Program Files....MSN Messenger....msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:....Program Files....MSN Messenger....livecall.exe"="C:....Program Files....MSN Messenger....livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"%windir%....system32....sessmgr.exe"="%windir%....system32.

...sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"



Remaining Files :





File Backups: - C:..DOCUME~1..Owner..MYDOCU~1..Unzipped..SDFix..SDFix..backu

ps..backups.zip



Files with Hidden Attributes :



Thu 28 Apr 2005 442,942 ..SH. --- "C:..WINDOWS..system..tenipxe.tmp"

Wed 27 Apr 2005 60,619 ..SH. --- "C:..WINDOWS..system..tenipxe.bak1"

Fri 29 Apr 2005 442,795 ..SH. --- "C:..WINDOWS..system..tenipxe.bak2"

Sat 4 Jun 2005 56 A.SHR --- "C:..WINDOWS..system32..1C86978378.sys"

Wed 4 Jul 2007 1,851,383 ..SH. --- "C:..WINDOWS..system32..nnnmp.bak1"

Fri 11 Nov 2005 352,372 A. SH. --- "C:..WINDOWS..system32..oqtwa.tmp"

Wed 30 Nov 2005 422,746 A. SH. --- "C:..WINDOWS..system32..oqtwa.bak1"

Tue 29 Nov 2005 411,930 A. SH. --- "C:..WINDOWS..system32..oqtwa.bak2"

Thu 27 Oct 2005 159,927 A. SH. --- "C:..WINDOWS..system32..vycdd.tmp"

Sun 23 Oct 2005 141,320 A. SH. --- "C:..WINDOWS..system32..vycdd.bak1"

Fri 28 Oct 2005 162,642 A. SH. --- "C:..WINDOWS..system32..vycdd.bak2"

Wed 31 Aug 2005 179,187 A. SH. --- "C:..WINDOWS..Web..ksidnib.tmp"

Sun 9 Oct 2005 339,283 A. SH. --- "C:..WINDOWS..Web..ksidnib.bak1"

Wed 12 Oct 2005 354,419 A. SH. --- "C:..WINDOWS..Web..ksidnib.bak2"

Sun 22 May 2005 4,348 A. SH. --- "C:..Documents and Settings..All Users..DRM..DRMv1.bak"

Sun 13 Jan 2008 0 A. SH. --- "C:..Documents and Settings..All Users..DRM..Cache..Indiv02.tmp"

Wed 4 Oct 2006 3,072,000 A..H. --- "C:..Documents and Settings..Owner..Application Data..U3..temp..Launchpad Removal.exe"



Finished!

crunchie Apr 9th, 2008 6:32 am
Re: HJT log
 
Tell me something. Why is it that your hijackthis logs always look different to every one else's?
Take a look at your first post, then your second and spot the difference. Who is doing all that pointless editing of the log? All it means is that now you will have to wait until you have posted a log in the correct format.

ownedswax Apr 9th, 2008 2:26 pm
Re: HJT log
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:56 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM73a39b55] Rundll32.exe "C:\WINDOWS\system32\euotbymp.dll",s
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: fqllbfjmzuak (arpsdwzt5) - Unknown owner - C:\WINDOWS\system32\buwwnuul5.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6778 bytes

crunchie Apr 9th, 2008 5:54 pm
Re: HJT log
 
Much better.

Can you please do the following.


===============

Go to Add/Remove programs and uninstall the following, if present:

Viewpoint Manager

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O4 - HKLM\..\Run: [BM73a39b55] Rundll32.exe "C:\WINDOWS\system32\euotbymp.dll",s

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O23 - Service: fqllbfjmzuak (arpsdwzt5) - Unknown owner - C:\WINDOWS\system32\buwwnuul5.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Viewpoint

files...

C:\WINDOWS\system32\euotbymp.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.
Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

ownedswax Apr 9th, 2008 9:42 pm
Re: HJT log
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:10 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: fqllbfjmzuak (arpsdwzt5) - Unknown owner - C:\WINDOWS\system32\buwwnuul5.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 5980 bytes

ownedswax Apr 9th, 2008 11:47 pm
Re: HJT log
 
sorry for the double post, the computer is running much faster. He said surfing the internet is very much faster and online games are running at higher FPS.

crunchie Apr 13th, 2008 12:26 am
Re: HJT log
 
Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktop
You'll see a black screen flash,thats normal.

Quote:
@echo off
sc stop fqllbfjmzuak
sc delete fqllbfjmzuak
Restart your PC. Post another log please.

crunchie Apr 15th, 2008 7:11 am
Re: HJT log
 
Are you still there?


All times are GMT -4. The time now is 10:49 pm.
1 2
Show 40 post(s) from this thread on one page

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC