0

I get all kinds of sounds and music when there are no windows open. I had no browser windows open but I think their listed anyway.

Logfile of HijackThis v1.99.1
Scan saved at 12:28:05 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\acac.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\services.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Unused Desktop Items\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarCU/YSetSearch/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchUrl/YSetSearch/*http://www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gnrpjwn.exe
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperVY.dll (file missing)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [acac] C:\WINDOWS\system32\acac.exe
O4 - HKLM\..\Run: [fofo] C:\WINDOWS\system32\fofo.exe
O4 - HKLM\..\Run: [skwi] C:\WINDOWS\system32\skwi.exe
O4 - HKLM\..\Run: [ntnt] C:\WINDOWS\system32\ntnt.exe
O4 - HKLM\..\Run: [manmx] C:\WINDOWS\system32\manmx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [csmc] C:\WINDOWS\system32\csmc.exe
O4 - HKLM\..\Run: [ksac] C:\WINDOWS\system32\ksac.exe
O4 - HKLM\..\Run: [wiwi] C:\WINDOWS\system32\wiwi.exe
O4 - HKLM\..\Run: [dsds] C:\WINDOWS\system32\dsds.exe
O4 - HKLM\..\Run: [idid] C:\WINDOWS\system32\idid.exe
O4 - HKLM\..\Run: [icmsg] C:\WINDOWS\system32\icmsg.exe
O4 - HKLM\..\Run: [hnman] C:\WINDOWS\system32\hnman.exe
O4 - HKLM\..\Run: [mpup] C:\WINDOWS\system32\mpup.exe
O4 - HKLM\..\Run: [msgic] C:\WINDOWS\system32\msgic.exe
O4 - HKLM\..\Run: [mxman] C:\WINDOWS\system32\mxman.exe
O4 - HKLM\..\Run: [ksmgr] C:\WINDOWS\system32\ksmgr.exe
O4 - HKLM\..\Run: [skmsg] C:\WINDOWS\system32\skmsg.exe
O4 - HKLM\..\Run: [msds] C:\WINDOWS\system32\msds.exe
O4 - HKLM\..\Run: [utnt] C:\WINDOWS\system32\utnt.exe
O4 - HKLM\..\Run: [iddp] C:\WINDOWS\system32\iddp.exe
O4 - HKLM\..\Run: [dpid] C:\WINDOWS\system32\dpid.exe
O4 - HKLM\..\Run: [msgsk] C:\WINDOWS\system32\msgsk.exe
O4 - HKLM\..\Run: [updes] C:\WINDOWS\system32\updes.exe
O4 - HKLM\..\Run: [mshlp] C:\WINDOWS\system32\mshlp.exe
O4 - HKLM\..\Run: [mpcom] C:\WINDOWS\system32\mpcom.exe
O4 - HKLM\..\Run: [scmon] C:\WINDOWS\system32\scmon.exe
O4 - HKLM\..\Run: [csid] C:\WINDOWS\system32\csid.exe
O4 - HKLM\..\Run: [desmx] C:\WINDOWS\system32\desmx.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [jssvc23] jsssvc.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08c51c09f70406a38619/netzip/RdxIE601.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: hlin446EC48C.dll wmid446EC48C.dll mlan446EC7DB.dll MDT2446EC7DB.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mcmc - C:\WINDOWS\System32\mcmc.dll (file missing)
O20 - Winlogon Notify: ntmgr - C:\WINDOWS\System32\ntmgr.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: setsc - C:\WINDOWS\System32\setsc.dll
O20 - Winlogon Notify: upsk - C:\WINDOWS\System32\upsk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wiwi - C:\WINDOWS\System32\wiwi.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

2
Contributors
1
Reply
2
Views
11 Years
Discussion Span
Last Post by swatkat
0

Hi,
Download CCleaner and install it. Do not run it now!

Download and install Ewido Security Suite v3.5. After download, double click on the file to launch the install process. After installation, launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see "Update Successful" in the lower left corner.
If you are having problems with the updater, use this link to manually update. Exit Ewido when done - DO NOT perform a scan yet.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarCU/YSetSearch/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/clientapps/AutoSearch/SearchUrl/YSetSearch/*http://www.yahoo.com
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gnrpjwn.exe
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperVY.dll (file missing)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

O4 - HKLM\..\Run: [acac] C:\WINDOWS\system32\acac.exe
O4 - HKLM\..\Run: [fofo] C:\WINDOWS\system32\fofo.exe
O4 - HKLM\..\Run: [skwi] C:\WINDOWS\system32\skwi.exe
O4 - HKLM\..\Run: [ntnt] C:\WINDOWS\system32\ntnt.exe
O4 - HKLM\..\Run: [manmx] C:\WINDOWS\system32\manmx.exe
O4 - HKLM\..\Run: [csmc] C:\WINDOWS\system32\csmc.exe
O4 - HKLM\..\Run: [ksac] C:\WINDOWS\system32\ksac.exe
O4 - HKLM\..\Run: [wiwi] C:\WINDOWS\system32\wiwi.exe
O4 - HKLM\..\Run: [dsds] C:\WINDOWS\system32\dsds.exe
O4 - HKLM\..\Run: [idid] C:\WINDOWS\system32\idid.exe
O4 - HKLM\..\Run: [icmsg] C:\WINDOWS\system32\icmsg.exe
O4 - HKLM\..\Run: [hnman] C:\WINDOWS\system32\hnman.exe
O4 - HKLM\..\Run: [mpup] C:\WINDOWS\system32\mpup.exe
O4 - HKLM\..\Run: [msgic] C:\WINDOWS\system32\msgic.exe
O4 - HKLM\..\Run: [mxman] C:\WINDOWS\system32\mxman.exe
O4 - HKLM\..\Run: [ksmgr] C:\WINDOWS\system32\ksmgr.exe
O4 - HKLM\..\Run: [skmsg] C:\WINDOWS\system32\skmsg.exe
O4 - HKLM\..\Run: [msds] C:\WINDOWS\system32\msds.exe
O4 - HKLM\..\Run: [utnt] C:\WINDOWS\system32\utnt.exe
O4 - HKLM\..\Run: [iddp] C:\WINDOWS\system32\iddp.exe
O4 - HKLM\..\Run: [dpid] C:\WINDOWS\system32\dpid.exe
O4 - HKLM\..\Run: [msgsk] C:\WINDOWS\system32\msgsk.exe
O4 - HKLM\..\Run: [updes] C:\WINDOWS\system32\updes.exe
O4 - HKLM\..\Run: [mshlp] C:\WINDOWS\system32\mshlp.exe
O4 - HKLM\..\Run: [mpcom] C:\WINDOWS\system32\mpcom.exe
O4 - HKLM\..\Run: [csid] C:\WINDOWS\system32\csid.exe
O4 - HKLM\..\Run: [desmx] C:\WINDOWS\system32\desmx.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [jssvc23] jsssvc.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08c51c09f70406a38619/netzip/RdxIE601.cab
O20 - AppInit_DLLs: hlin446EC48C.dll wmid446EC48C.dll mlan446EC7DB.dll MDT2446EC7DB.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: mcmc - C:\WINDOWS\System32\mcmc.dll (file missing)
O20 - Winlogon Notify: ntmgr - C:\WINDOWS\System32\ntmgr.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: setsc - C:\WINDOWS\System32\setsc.dll
O20 - Winlogon Notify: upsk - C:\WINDOWS\System32\upsk.dll
O20 - Winlogon Notify: wiwi - C:\WINDOWS\System32\wiwi.dll (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


Reboot to Normal Mode.


Please download The Avenger by Swandog46 to your Desktop.

  • Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop.
  • Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing CTRL C keys:-

Files to delete:
c:\secure32.html
C:\WINDOWS\system32\gnrpjwn.exe
C:\WINDOWS\gnrpjwn.exe
C:\WINDOWS\system32\acac.exe
C:\WINDOWS\system32\fofo.exe
C:\WINDOWS\system32\skwi.exe
C:\WINDOWS\system32\ntnt.exe
C:\WINDOWS\system32\manmx.exe
C:\WINDOWS\system32\csmc.exe
C:\WINDOWS\system32\ksac.exe
C:\WINDOWS\system32\wiwi.exe
C:\WINDOWS\system32\dsds.exe
C:\WINDOWS\system32\idid.exe
C:\WINDOWS\system32\icmsg.exe
C:\WINDOWS\system32\hnman.exe
C:\WINDOWS\system32\mpup.exe
C:\WINDOWS\system32\msgic.exe
C:\WINDOWS\system32\mxman.exe
C:\WINDOWS\system32\ksmgr.exe
C:\WINDOWS\system32\skmsg.exe
C:\WINDOWS\system32\msds.exe
C:\WINDOWS\system32\utnt.exe
C:\WINDOWS\system32\iddp.exe
C:\WINDOWS\system32\dpid.exe
C:\WINDOWS\system32\msgsk.exe
C:\WINDOWS\system32\updes.exe
C:\WINDOWS\system32\mshlp.exe
C:\WINDOWS\system32\mpcom.exe
C:\WINDOWS\system32\csid.exe
C:\WINDOWS\system32\desmx.exe
C:\WINDOWS\System32\kernels8.exe
C:\WINDOWS\System32\jsssvc.exe
C:\WINDOWS\jsssvc.exe
C:\WINDOWS\System32\vxgame6.exe3072.exe
C:\WINDOWS\System32\mcmc.dll
C:\WINDOWS\System32\ntmgr.dll
C:\WINDOWS\System32\setsc.dll
C:\WINDOWS\System32\upsk.dll
C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe

  • Now, run The Avenger program by double clicking its icon on your Desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
  • Paste the text copied to clipboard into this window by pressing Ctrl V keys.
  • Click Done.
  • Now click on the Green Light to begin execution of the script.
  • Answer "Yes" twice when prompted.

The Avenger will automatically do the following:-

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the reboot, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt

Please perform this online scan: F-Secure Online Scanner Next Generation Beta
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
6. When done click "Show report" and copy/paste its contents into your next reply along with a new HijackThis log and Avenger log.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.