Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

my computer sucks.. please fix it [CLOSED]


  • This topic is locked This topic is locked

#1
dexydie

dexydie

    New Member

  • Member
  • Pip
  • 6 posts
heres my hijackthis thingy. PLEASE HELP ME ASAP!!! :whistling:
thanks

Logfile of HijackThis v1.99.1
Scan saved at 8:38:51 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC31337F} -   ¦C:\WINDOWS\system32\Mslink32.dll (file missing)
O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} -   ¦MsLink32.VS (file missing)
O2 - BHO: (no name) - {D4D505DF-D582-400c-91B6-84921012AFE3} - (no file)
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dmrjm.exe] C:\WINDOWS\system32\dmrjm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [virtual] winit.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm006
O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_05\bin\npjava131_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_05\bin\npjava131_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...scandl_cnry.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...302/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...tupv2.0.0.9.cab?
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5593AF-3265-40EF-B89A-B8AEF97F80A9}: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{D194D4A3-6CEB-4211-A6FB-27CE1C6FDD45}: NameServer = 85.255.113.90,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6232730-4E7E-4B8A-96C4-70217E1F9804}: NameServer = 85.255.113.90,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
  • 0

Advertisements


#2
dexydie

dexydie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay so i was on my computer last week and i opened an email and wham, i got a wurmark work. My computer has been acting HORRIBLE ever since. Sometimes it just freezes for hours - rebooting never helps, it does the exact same thing.
I ran AVG and the problem happens to be in C:\windows\system32\attatched.zip:\for_you.pif And it is an I-Worm/Wurmark.A
Please someone help me!

this is my hijack log...

Logfile of HijackThis v1.99.1
Scan saved at 8:38:51 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC31337F} -   ¦C:\WINDOWS\system32\Mslink32.dll (file missing)
O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} -   ¦MsLink32.VS (file missing)
O2 - BHO: (no name) - {D4D505DF-D582-400c-91B6-84921012AFE3} - (no file)
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dmrjm.exe] C:\WINDOWS\system32\dmrjm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [virtual] winit.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm006
O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_05\bin\npjava131_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_05\bin\npjava131_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...scandl_cnry.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...302/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...tupv2.0.0.9.cab?
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5593AF-3265-40EF-B89A-B8AEF97F80A9}: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{D194D4A3-6CEB-4211-A6FB-27CE1C6FDD45}: NameServer = 85.255.113.90,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6232730-4E7E-4B8A-96C4-70217E1F9804}: NameServer = 85.255.113.90,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
  • 0

#3
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello dexydie and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

Please note that I have merged bothof your threads into one to stop you getting a second helper and wasting their time.

You have quite a mixture of malware and Trojans. You have been hijacked by our comrades in Belarus so, it is likely that you will have the Wareout infection. Let’s see what we can do.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC31337F} - ¦C:\WINDOWS\system32\Mslink32.dll (file missing)
O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} - ¦MsLink32.VS (file missing)
O2 - BHO: (no name) - {D4D505DF-D582-400c-91B6-84921012AFE3} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dmrjm.exe] C:\WINDOWS\system32\dmrjm.exe
O4 - HKLM\..\RunServices: [virtual] winit.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm006
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...scandl_cnry.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5593AF-3265-40EF-B89A-B8AEF97F80A9}: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{D194D4A3-6CEB-4211-A6FB-27CE1C6FDD45}: NameServer = 85.255.113.90,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6232730-4E7E-4B8A-96C4-70217E1F9804}: NameServer = 85.255.113.90,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.165


Click FIX CHECKED. Close HijackThis.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.
  • 0

#4
dexydie

dexydie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi thank you so much for helping me. I posted another post about 1/2 an hour ago, I didnt see that someone responded.
I did everything according to what you told me, but when i went back to get my report from fixwareout, it said that it wasnt there (c:\fixwareout\report.txt).
HEre is my new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:20:07 PM, on 9/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} -   ¦MsLink32.VS (file missing)
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_05\bin\npjava131_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_05\bin\npjava131_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...302/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...tupv2.0.0.9.cab?
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5593AF-3265-40EF-B89A-B8AEF97F80A9}: NameServer = 85.255.113.90 85.255.112.165
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
  • 0

#5
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

If you could just check for the WareoutFix log and post it in your next reply, I'd be grateful. It will list live files that I should delete. It will be there, it always is and I have done far too many Wareouts to count.

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O2 - BHO: (no name) - {3212BCA5-DFC1-4587-AD42-A4462C1D417E} - ¦MsLink32.VS (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5593AF-3265-40EF-B89A-B8AEF97F80A9}: NameServer = 85.255.113.90 85.255.112.165


Click on Fix Checked when finished and exit HijackThis.

Post back a fresh HijackThis log, from normal mode, and I will take another look.

How's the PC running now?

Edited by Crustyoldbloke, 01 September 2006 - 06:02 PM.

  • 0

#6
dexydie

dexydie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
well hello again,

sorry i have not replied back in a while, my computer has been frantic. It is still acting up and AVG still says that it is infected with the Wurmark Worm virus. Which is STILL causing my computer to freeze and work only when it likes to (which is hardly ever).
Im not sure about the Wareout Fix log, I cant seem to find it anywhere! IS there something else i should be doing. My computer says that it cannot locate that file.
Anyways here is a new hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 6:47:47 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O8 - Extra context menu item: Download with TrueSpeed Download Manager - C:\Program Files\TrueSpeed\DBooster.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab....geUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...302/mcfscan.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...tupv2.0.0.9.cab?
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5593AF-3265-40EF-B89A-B8AEF97F80A9}: NameServer = 85.255.113.90 85.255.112.165
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe


PS. After i d"deleted" the O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5593AF-3265-40EF-B89A-B8AEF97F80A9}: NameServer = 85.255.113.90 85.255.112.165 off of hijackthis, it seemed that i could not at all use the internet (says i was connected, but all websites were unavailable - and this happened TWICE so it wasnt my imagination... and it was Right after i did it). Im not sure if this helps, but it just keeps showing up on the hijackthis log after i "deleted" it.

Thanks for being soo patient!
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Please continue with this fix:

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5593AF-3265-40EF-B89A-B8AEF97F80A9}: NameServer = 85.255.113.90 85.255.112.165

Click on Fix Checked when finished and exit HijackThis.

Post back a fresh HijackThis log, from normal mode, and I will take another look.

Edited by Crustyoldbloke, 02 September 2006 - 06:01 PM.

  • 0

#8
dexydie

dexydie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
The thing is, when i continue with that fix, it makes it so my internet doesnt work... and then i have to reboot, which starts the process of freezing and such.
I deleted it twice already and it doesnt seem to go away
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I am having difficulty in diagnosing what could be happening here. Let's try and flush out whatever is causing this.

Please download: Ewido Anti Spyware

Please install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Deselect "Only if threats were found"
  • Close Ewido. Do not run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

  • In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  • Please ensure you post that log in your reply.

  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP