 |  |  |  |  |  |  |  |
hjt log pls help cleanup
 |
•
•
Join Date: Aug 2004
Posts: 77
Reputation: 
Solved Threads: 0
Junior Poster in Training
I am experiencing numerous popups in my system and I wonder there are nasties. Pls help me check the hjt log below for fix.
Thanks,
fox
Logfile of HijackThis v1.99.1
Scan saved at 4:43:20 PM, on 12/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\igfxtray.exe
C:\WINXP\System32\hkcmd.exe
C:\WINXP\System32\RunDll32.exe
C:\WINXP\System32\paytime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\adtech2006a.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINXP\inet20009\services.exe
C:\WINXP\System32\paytime.exe
C:\PROGRA~1\COMMON~1\uouz\uouzm.exe
C:\PROGRA~1\COMMON~1\uouz\uouza.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\WINXP\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINXP\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F3 - REG:win.ini: run=C:\WINXP\inet20009\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKCU\..\Run: [uouz] C:\PROGRA~1\COMMON~1\uouz\uouzm.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Reliability - C:\WINXP\system32\h02olaf31d2.dll
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINXP\System32\glmjfhcg.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINXP\system32\ZoneLabs\vsmon.exe
Thanks,
fox
Logfile of HijackThis v1.99.1
Scan saved at 4:43:20 PM, on 12/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\igfxtray.exe
C:\WINXP\System32\hkcmd.exe
C:\WINXP\System32\RunDll32.exe
C:\WINXP\System32\paytime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\adtech2006a.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINXP\inet20009\services.exe
C:\WINXP\System32\paytime.exe
C:\PROGRA~1\COMMON~1\uouz\uouzm.exe
C:\PROGRA~1\COMMON~1\uouz\uouza.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\WINXP\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINXP\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F3 - REG:win.ini: run=C:\WINXP\inet20009\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKCU\..\Run: [uouz] C:\PROGRA~1\COMMON~1\uouz\uouzm.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Reliability - C:\WINXP\system32\h02olaf31d2.dll
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINXP\System32\glmjfhcg.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINXP\system32\ZoneLabs\vsmon.exe
You have quite a few malicious entries in your log, and I also see no indication of any installed anti-virus or anti-spyware programs.
If you really don't have an A-V program, download and install the free edition of AVG anti-virus now.
Next, please do the following:
You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.
1. Download and install these utilities (but do not run scans with them yet):
ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/
- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.
- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.
- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.
- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.
- Open AVG and use its Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.
3. Download and install the CCleaner utility, but don't run it yet.
4. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing its fixes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F3 - REG:win.ini: run=C:\WINXP\inet20009\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKCU\..\Run: [uouz] C:\PROGRA~1\COMMON~1\uouz\uouzm.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O20 - Winlogon Notify: Reliability - C:\WINXP\system32\h02olaf31d2.dll
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINXP\System32\glmjfhcg.dll
5. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
6. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.
7. Run AVG, SpyBot, ewido, AdAware, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.
8. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files (some of these should already have been deleted by the removal utilities):
c:\secure32.html
C:\WINXP\System32\mstool.exe
C:\WINXP\System32\paytime.exe
C:\windows\adtech2006a.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINXP\system32\h02olaf31d2.dll
C:\WINXP\System32\glmjfhcg.dll
- Delete the following folders entirely:
C:\WINXP\inet20009
C:\Program Files\Common Files\uouz
C:\Program Files\Common Files\VCClient
9. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.
If you really don't have an A-V program, download and install the free edition of AVG anti-virus now.
Next, please do the following:
You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.
1. Download and install these utilities (but do not run scans with them yet):
ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/
- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.
- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.
- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.
- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.
- Open AVG and use its Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.
3. Download and install the CCleaner utility, but don't run it yet.
4. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing its fixes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F3 - REG:win.ini: run=C:\WINXP\inet20009\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKCU\..\Run: [uouz] C:\PROGRA~1\COMMON~1\uouz\uouzm.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O20 - Winlogon Notify: Reliability - C:\WINXP\system32\h02olaf31d2.dll
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINXP\System32\glmjfhcg.dll
5. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
6. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.
7. Run AVG, SpyBot, ewido, AdAware, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.
8. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files (some of these should already have been deleted by the removal utilities):
c:\secure32.html
C:\WINXP\System32\mstool.exe
C:\WINXP\System32\paytime.exe
C:\windows\adtech2006a.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINXP\system32\h02olaf31d2.dll
C:\WINXP\System32\glmjfhcg.dll
- Delete the following folders entirely:
C:\WINXP\inet20009
C:\Program Files\Common Files\uouz
C:\Program Files\Common Files\VCClient
9. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Aug 2004
Posts: 77
Reputation:
Solved Threads: 0
Junior Poster in Training
•
•
•
•
Originally Posted by DMR
You have quite a few malicious entries in your log, and I also see no indication of any installed anti-virus or anti-spyware programs.
If you really don't have an A-V program, download and install the free edition of AVG anti-virus now.
Next, please do the following:
You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.
1. Download and install these utilities (but do not run scans with them yet):
ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/
- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.
- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.
- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.
- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.
- Open AVG and use its Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.
3. Download and install the CCleaner utility, but don't run it yet.
4. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing its fixes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
F3 - REG:win.ini: run=C:\WINXP\inet20009\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKCU\..\Run: [uouz] C:\PROGRA~1\COMMON~1\uouz\uouzm.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [xp_system] C:\WINXP\inet20009\services.exe
O20 - Winlogon Notify: Reliability - C:\WINXP\system32\h02olaf31d2.dll
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINXP\System32\glmjfhcg.dll
5. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
6. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.
7. Run AVG, SpyBot, ewido, AdAware, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.
8. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files (some of these should already have been deleted by the removal utilities):
c:\secure32.html
C:\WINXP\System32\mstool.exe
C:\WINXP\System32\paytime.exe
C:\windows\adtech2006a.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINXP\system32\h02olaf31d2.dll
C:\WINXP\System32\glmjfhcg.dll
- Delete the following folders entirely:
C:\WINXP\inet20009
C:\Program Files\Common Files\uouz
C:\Program Files\Common Files\VCClient
9. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.
Thanks DMR. :
Here is the logs for your review:hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 10:01:15 AM, on 12/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mercora\MercoraClient.exe
C:\WINXP\System32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINXP\System32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\ups.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\WINXP\System32\wuauclt.exe
C:\DOCUME~1\user\LOCALS~1\Temp\gert0.exe
C:\WINXP\System32\drwtsn32.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
O4 - HKCU\..\Run: [µTorrent] "C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxdev.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINXP\system32\ZoneLabs\vsmon.exe
ewido report:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:48:12 AM, 12/16/2005
+ Report-Checksum: 61B99EC9
+ Scan result:
[1412] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Cleaned with backup
[1580] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[1588] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[1596] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[1640] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[1648] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[1656] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[1672] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[1684] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[1772] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
[2632] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogon.dll -> Not-A-Virus.Monitor.KGBSpy.34 : Error during cleaning
C:\WINXP\country.exe -> Trojan.Small : Cleaned with backup
C:\WINXP\dvpd.dll -> Backdoor.Dumador.ej : Cleaned with backup
C:\WINXP\system32\geaecnnm.exe -> Proxy.Wopla.n : Cleaned with backup
C:\WINXP\tool1.exe -> Proxy.Xorpix.e : Cleaned with backup
C:\WINXP\tool2.exe -> Hijacker.Spywad.l : Cleaned with backup
C:\WINXP\tool3.exe -> Downloader.Small.bwr : Cleaned with backup
C:\WINXP\tool4.exe -> Trojan.Small : Cleaned with backup
C:\WINXP\tool5.exe -> Trojan.Small : Cleaned with backup
C:\WINXP\toolbar.exe -> Downloader.Adload.j : Cleaned with backup
::Report End
DMR, when I run ewido security, my system always crashed. Do you know how to overcome this?
foxkueh
I don't have an answer for the ewido crashing at the moment (can you give us any more details?), but I do have a question: why are there new program entries in your latest HijackThis log? :
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKCU\..\Run: [µTorrent] "C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
Please don't install anything during our troubleshooting; it just confuses and complicates things.
I'm logging off for the night right now; I'll check back on this thread tomorrow...
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKCU\..\Run: [µTorrent] "C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
Please don't install anything during our troubleshooting; it just confuses and complicates things.
I'm logging off for the night right now; I'll check back on this thread tomorrow...
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Aug 2004
Posts: 77
Reputation:
Solved Threads: 0
Junior Poster in Training
•
•
•
•
Originally Posted by DMR
I don't have an answer for the ewido crashing at the moment (can you give us any more details?), but I do have a question: why are there new program entries in your latest HijackThis log? :
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKCU\..\Run: [µTorrent] "C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
Please don't install anything during our troubleshooting; it just confuses and complicates things.
I'm logging off for the night right now; I'll check back on this thread tomorrow...
Sorry my children didn't know I was trying to fix the problems and instal a new graphic card and some new softwares. If you are not particularly unhappy about it, shall we start the trouble shooting process again. This is my new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 4:33:06 PM, on 12/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\RunDll32.exe
C:\Program Files\Mercora\MercoraClient.exe
C:\WINXP\System32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINXP\System32\rundll32.exe
C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\ups.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [µTorrent] "C:\DOCUMENTS AND SETTINGS\USER\MY DOCUMENTS\My Downloads\utorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxdev.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINXP\system32\ZoneLabs\vsmon.exe
I notice that some of the lines I fixed before appear again. Thanks for your patient.
foxkueh
•
•
•
•
Originally Posted by foxkueh
my children didn't know I was trying to fix the problems and instal a new graphic card and some new softwares.
•
•
•
•
Originally Posted by foxkueh
I notice that some of the lines I fixed before appear again.
- Can you give us more details about the ewido crash? Does it crash at a specific point in the scan (when scanning a particular file, for example)? Are there any error messages? Try uninstalling ewido and reinstalling it; it would really be helpful to have the program working properly.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Aug 2004
Posts: 77
Reputation:
Solved Threads: 0
Junior Poster in Training
•
•
•
•
Originally Posted by DMR
Ah, children- that explains it...
Yes, that means that we haven't fully removed all of the infection yet.
- Can you give us more details about the ewido crash? Does it crash at a specific point in the scan (when scanning a particular file, for example)? Are there any error messages? Try uninstalling ewido and reinstalling it; it would really be helpful to have the program working properly.
Can you tell me what should I do now to completely wipe the nasties.
foxkueh
Let's see if we can remove the leftovers:
1. Open your Add/Remove Programs control panel and uninstall the Cyberlink/Key Logger software if you see it listed there.
2. Run HJT again and have it fix:
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
3. Reboot into Safe Mode again.
4. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the C:\WINXP\System32\mstool.exe
file.
- Delete the following folder entirely:
C:\Program Files\CyberLink
5. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new (and hopefully final) log.
1. Open your Add/Remove Programs control panel and uninstall the Cyberlink/Key Logger software if you see it listed there.
2. Run HJT again and have it fix:
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
3. Reboot into Safe Mode again.
4. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the C:\WINXP\System32\mstool.exe
file.
- Delete the following folder entirely:
C:\Program Files\CyberLink
5. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new (and hopefully final) log.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Aug 2004
Posts: 77
Reputation:
Solved Threads: 0
Junior Poster in Training
•
•
•
•
Originally Posted by DMR
Let's see if we can remove the leftovers:
1. Open your Add/Remove Programs control panel and uninstall the Cyberlink/Key Logger software if you see it listed there.
2. Run HJT again and have it fix:
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\CyberLink\PowerDVD\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [Microsoft tool] C:\WINXP\System32\mstool.exe
3. Reboot into Safe Mode again.
4. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the C:\WINXP\System32\mstool.exe
file.
- Delete the following folder entirely:
C:\Program Files\CyberLink
5. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new (and hopefully final) log.
Power DVD is a programme from the new video card my children stalled. Is it a bad programme?
foxkueh
•
•
•
•
Originally Posted by foxkueh
Hi DMR,
Power DVD is a programme from the new video card my children stalled. Is it a bad programme?
You may know this already, but keylogger programs are used to capture a user's keystrokes on a computer and save that information so that it can be reviewed by, or sent to, someone else. Obviously, unless you specifically installed the keylogger as a "parental control", you definitely don't want it installed on your computer.
If you know nothing about the keylogger:
- Leave the Cyberlink software installed for now.
- Have HijackThis fix the "[winlogons.exe]" log entry to disable off the keylogger component.
- Follow my instructions concerning removing "mstool.exe".
- Reboot the computer, run hijackThis again, and post the new log.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
|
Similar Threads
- New HJT log, pls help me to clean up (Viruses, Spyware and other Nasties)
- Pls help with this HJT log (Viruses, Spyware and other Nasties)
- HJT log help pls (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Need help resolving background issue..
- Next Thread: Cant remove a new virus+ cant scan it+ cant do anything with it HEEEELP !!!!
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio backtoschoolspeech bar blackhat botnet botnets china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia email europe exam facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm zeroday
