0

Hi!
In the last two weeks I have a problems with my comp: during the surfing in Internet my comp may just to shut down, without any reason that I can see.
I tried to scan with adaware and it found 85 objects. The programme deleted those objects, but it wasn't helpfull.
So I scaned with HT and this is hijacThis code:

Logfile of HijackThis v1.98.2
Scan saved at 23:20:00, on 04.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\SYSTEM\Mra.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\windows\system32\evthtm.exe
C:\Program Files\Babylon\Babylon.exe
C:\windows\system32\mousecntl32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.ru/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM\MraSearch.dll
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=c:\windows\system32\mousecntl32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [fxhilc] C:\WINDOWS\System32\fxhilc.exe
O4 - HKLM\..\Run: [DQMXFKBM] c:\windows\system32\dqmxfkbm.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Hot_Tarts_il] C:\Program Files\Video1\Dialers\Hot_Tarts_il\Hot_Tarts_il.exe /dontdial
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HDOFAEVY] c:\windows\system32\hdofaevy.exe /install
O4 - HKLM\..\Run: [WCBRCLZV] c:\windows\system32\wcbrclzv.exe /install
O4 - HKLM\..\Run: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Mousecntl32] c:\windows\system32\mousecntl32.exe
O4 - HKLM\..\Run: [Mdmdll] c:\windows\system32\mdmdll.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Mra] C:\Documents and Settings\Жен\Application Data\Mra\Mra.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1022.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Advmon32] c:\windows\system32\advmon32.exe
O4 - HKCU\..\Run: [Mousecntl32] c:\windows\system32\mousecntl32.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\Mra.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1022_EN.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {5B132B38-9E37-4D05-B8D6-A274C32D5234} - http://mnb.validbox.com/ActiveX_DownloadAndRun_0.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://engine.vogclub.com/activex/vogweb29.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{185A5652-2CB8-489B-8353-B1E25BD82D09}: NameServer = 194.90.1.5 212.143.212.143


I think that I should to fix the next lines:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM\MraSearch.dll
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)


Am I right? I just afraid to delete it before somebody with more experience than mine, will see it.

Thank you very very much!

Vik

5
Contributors
6
Replies
7
Views
12 Years
Discussion Span
Last Post by DMR
0

You'd better check evthtm.exe, which is a trojan.
Please remove it (also from the registry) and keep updating your XP (even if annoying :rolleyes: )

0

1. You are heavily infected; please do the online scans caperjack recommended.


2. Uninstall the following rogue programs:

Virtual Bouncer (VBouncer)
AdDestroyer
palnetaware


3. Run HijackThis again; have it fix any of the following entries if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM\MraSearch.dll
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=c:\windows\system32\mousecntl32.exe
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [fxhilc] C:\WINDOWS\System32\fxhilc.exe
O4 - HKLM\..\Run: [DQMXFKBM] c:\windows\system32\dqmxfkbm.exe /install
O4 - HKLM\..\Run: [Hot_Tarts_il] C:\Program Files\Video1\Dialers\Hot_Tarts_il\Hot_Tarts_il.exe /dontdial
O4 - HKLM\..\Run: [HDOFAEVY] c:\windows\system32\hdofaevy.exe /install
O4 - HKLM\..\Run: [WCBRCLZV] c:\windows\system32\wcbrclzv.exe /install
O4 - HKLM\..\Run: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm
O4 - HKLM\..\Run: [Mousecntl32] c:\windows\system32\mousecntl32.exe
O4 - HKLM\..\Run: [Mdmdll] c:\windows\system32\mdmdll.exe
O4 - HKCU\..\Run: [Mra] C:\Documents and Settings\Жен\Application Data\Mra\Mra.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1022.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
O4 - HKCU\..\Run: [Advmon32] c:\windows\system32\advmon32.exe
O4 - HKCU\..\Run: [Mousecntl32] c:\windows\system32\mousecntl32.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\Mra.EXE
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binari...UTH_1022_EN.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
O16 - DPF: {5B132B38-9E37-4D05-B8D6-A274C32D5234} - http://mnb.validbox.com/ActiveX_DownloadAndRun_0.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://engine.vogclub.com/activex/vogweb29.cab


4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the following files:
c:\windows\system32\mousecntl32.exe
C:\WINDOWS\SYSTEM\Mra.EXE
C:\WINDOWS\System32\fxhilc.exe
c:\windows\system32\dqmxfkbm.exe
c:\windows\system32\hdofaevy.exe
c:\windows\system32\wcbrclzv.exe
c:\windows\system32\evthtm.exe
c:\windows\system32\mdmdll.exe
C:\WINDOWS\mslagent\mslagent.exe
c:\windows\system32\advmon32.exe

- Delete the following folders entirely:
C:\Program Files\Video1\Dialers
C:\Documents and Settings\Жен\Application Data\Mra
C:\WINDOWS\mslagent
C:\Program Files\VBouncer
C:\Program Files\AdDestroyer
C:\Program Files\Paltalk

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.


- Empty your Recycle Bin.

- Reboot normally.


5. Post a new HijackThis log.

0

Thanks for the answer!
I''ll try to do all this. :o
VIK

0

OK. Please follow the above instructions carefully, and don't hesitate to post if you have any questions along the way- it's better to ask than make a mistake.

:)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.