Help me PLZ!!!

Question

SS4531 0 Newbie Poster

17 Years Ago

Logfile of HijackThis v1.99.1
Scan saved at 9:34:42 PM, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kkeucd\smss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Scott Schmechel\Application Data\Opera\Opera\profile\cache4\temporary_download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.aaawebfinder.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.giantexplorer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www1.giantexplorer.com/sidesearch.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: giantexplorer.com toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\toolbar.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\kkeucd\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\kkeucd\csrss.exe
O2 - BHO: C:\WINDOWS\system32\zkPeCrypt.dll - {8A5849C4-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\system32\zkPeCrypt.dll
O3 - Toolbar: giantexplorer.com toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [shell32] C:\WINDOWS\system32\wuauclt10.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\system32\smmss.exe
O4 - HKLM\..\Run: [Windows update] C:\WINDOWS\system32\wudupdate.exe
O4 - HKLM\..\Run: [QUdCd] C:\WINDOWS\hxujmnvl.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\winstall.exe
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe
O4 - HKLM\..\Run: [wfdfjbk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wfdfjbk.dll,szvrte
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\smmss.exe
O4 - Startup: csrss.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {92F05779-6D88-4958-8AD3-83C12D855D67} - http://www.giantexplorer.com/toolbar/toolbar.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe

windows-virus

2 Contributors
1 Reply
83 Views
13 Hours Discussion Span
Latest Post 17 Years Ago Latest Post by gerbil

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

gerbil 216 Industrious Poster · Answer 1 · 2006-12-11T18:37:27+00:00

Let me start by saying Cor! You have some interesting stuff; you don't have antivirus, and i don't see a firewall [unless you are using windows version..], and your java is out of date, and so you probably deserve what you have - running Opera won't save you from all the nasties. But don't panic cos we can fix it all. I just have to work up a method... Meanwhile copy HijackThis out of the tempory cache from where you ran it, put it inside its own new folder alongside your programs folder and please rerun it from there next time i ask. The main reason is that HT makes backups and places them in the folder it is run from - you empty your temp cache and they are GONE. Another reason is that you can save you scans and use old ones as a template for checking a fresh scan...
Next get these things:-
I would like you to download CCleaner from http://www.ccleaner.com/ and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's just a neater thing.
Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/ Install it. Update it. Put an icon on your desktop for regular use.
Next go here to get Spybot S&D :- http://www.safer-networking.org/en/download/ Update it.
Get AVG Free (Anti-Virus) from :- http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free :file is avg75free
Get AVG Anti-Spyware Free from:- the same page..... :file is avgas-setup-...
----update them both.
And start windows firewall if it is not already running! I'll get back to you soon.

Okay, just so i can clear the decks a little bit i would like you to re-run HijackThis from that new folder i asked you to make. Turn OFF the net!!!
First make a System Restore point, and then in an explorer window go to Tools > folder options > view tab and select "show hidden files and folders", Apply.
Rclick the Recycle Bin and run CCleaner, delete all it finds. [if you set up CCleaner as i suggested, rclicking the bin icon should give you the run Ccleaner option...]
Do a full Adaware scan and remove all the problems it finds.
Run AVG Antispyware:- make sure you have updated its files, then select Scanner tab, Settings and set Recommended action to delete. Under scan tab start a full system scan and when it finishes apply recomended action to all it finds. [ie, delete.]
Run SpyBot S D. Create the registry backup, then check for problems. Select and fix problems.

Then go into Safe Mode, close all open windows, disconnect from the net and start HijackThis. Close the explorer window and then press Scan.
I would then like you to place check marks in the boxes against all the following items [if they still exist..], and to then press Fix Checked button.

C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\system32\kkeucd\smss.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
What use do you make of giantexplorer? Because I would class it as a pest that downloads ads.....
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.giantexplorer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www1.giantexplorer.com/sidesearch.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: giantexplorer.com toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\toolbar.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\kkeucd\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\kkeucd\csrss.exe
O2 - BHO: C:\WINDOWS\system32\zkPeCrypt.dll - {8A5849C4-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\system32\zkPeCrypt.dll
O3 - Toolbar: giantexplorer.com toolbar - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\Downloaded Program Files\CONFLICT.2\toolbar.dll
O4 - HKLM\..\Run: [shell32] C:\WINDOWS\system32\wuauclt10.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\system32\smmss.exe
O4 - HKLM\..\Run: [Windows update] C:\WINDOWS\system32\wudupdate.exe
O4 - HKLM\..\Run: [QUdCd] C:\WINDOWS\hxujmnvl.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\winstall.exe
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe
O4 - HKLM\..\Run: [wfdfjbk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wfdfjbk.dll,szvrte
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe LEFTOVER FROM MCAFEE?? I have included this because there is no Mcafee service on your machine!!
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\smmss.exe
O4 - Startup: csrss.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) TRUST NO-ONE
O16 - DPF: {92F05779-6D88-4958-8AD3-83C12D855D67} - http://www.giantexplorer.com/toolbar/toolbar.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe

Next, still in Safe Mode, you must go into C:\WINDOWS\system32 and delete these files and folders... BE VERY CAREFUL OF THE SPELLING!!
msasvc.exe
kkeucd\smss.exe
wfdfjbk.dll,szvrte
smmss.exe
wudupdate.exe
winstall.exe
rpcc.dll
zkPeCrypt.dll
wuauclt10.exe
qlink32.dll

Then under c:\WINDOWS\ delete the following files and folders...
hxujmnvl.exe
inet20000\services.exe

Exit SafeMode into normal windows mode and then do another HijackThis scan and post the new logfile please.

Note the system32\kkeucd\smss.exe entry i mention - delete that.
Do not delete the system32\smss.exe file.
Similarly delete WINDOWS\inet20000\services.exe, but NOT WINDOWS\services.exe.