Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

desktop hi jack. i have black screen


  • Please log in to reply

#16
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ahh, OK. You need to unzip it first
  • Right click on the file
  • choose extract
  • click next, click next again
  • you should have a new folder on your desktop (not zipped)
This is the one you use :whistling:
  • 0

Advertisements


#17
paco_taco

paco_taco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
SmitFraudFix v2.138

Scan done at 8:33:03.18, Thu 03/08/2007
Run from C:\My Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\wppp.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csuxy.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#18
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Paco Taco, sorry for the delay

Post a hijack log and lets see where we are at :whistling:
  • 0

#19
paco_taco

paco_taco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:56:09 AM, on 3/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\ff8044f26e091ff4d09b3860932ee4eb\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {18C00756-973B-4183-862B-AED976378F15} - C:\WINDOWS\System32\nnnnmmn.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: www.contentdiscount.info
O15 - Trusted Zone: www.extremeaccess.info
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay11...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1173684017218
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3707AD07-A600-4578-AD84-8B684D7FB695}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{809E2A31-34EE-4178-BB79-9D83DCCF2B66}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\SYSTEM32\ms3d2a43d1.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Cjknbo32.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\System32\dmxwz.exe
  • 0

#20
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Ok lets move on

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log
  • 0

#21
paco_taco

paco_taco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csuxy.exe"
Service: "Windows Management Service" = C:\WINDOWS\System32\dmxwz.exe

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}94BCAD812ED0-20B8-9234-20EE-F67FD24B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4FF215B77B0F-C478-7EC4-314D-034DE877{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "zwxmd" Deleted
....
»»»»» Misc files.
C:\WINDOWS\system32\{553BAF32-8967-4351-B7A5-AD2B7D1A9C46}.exe Deleted
C:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

C:\WINDOWS\system32\csyjs.exe 52744 01/31/2007


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\temp\dmxwz.ren 57907 05/11/2003



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCYCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCYtime.dll,[email protected]"
"MRT"="\"C:\\WINDOWS\\System32\\MRT.exe\" /R"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
  • 0

#22
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\system32\ldcore.dll
    C:\WINDOWS\SYSTEM32\instcat.dll
    C:\WINDOWS\SYSTEM32\ms3d2a43d1.dll

    C:\WINDOWS\system32\csyjs.exe
    [/b]
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post a new Hijaack log when done please
  • 0

#23
paco_taco

paco_taco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
it did not ask me the pendingfill etc..... question.




Logfile of HijackThis v1.99.1
Scan saved at 6:13:53 AM, on 3/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {18C00756-973B-4183-862B-AED976378F15} - C:\WINDOWS\System32\nnnnmmn.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: www.contentdiscount.info
O15 - Trusted Zone: www.extremeaccess.info
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay11...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1173684017218
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3707AD07-A600-4578-AD84-8B684D7FB695}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{809E2A31-34EE-4178-BB79-9D83DCCF2B66}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: Winmsc - ms3d2a43d1.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Cjknbo32.dll (file missing)
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#24
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again :whistling:

I think we almost have it

Please run a scan with HijackThis and check the following lines for removal:

O17 - HKLM\System\CCS\Services\Tcpip\..\{3707AD07-A600-4578-AD84-8B684D7FB695}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{809E2A31-34EE-4178-BB79-9D83DCCF2B66}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: Winmsc - ms3d2a43d1.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Cjknbo32.dll (file missing)
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

#25
paco_taco

paco_taco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
i cant choose firefox or opra
  • 0

Advertisements


#26
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Just continue to the online scan :whistling:
  • 0

#27
paco_taco

paco_taco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Incident Status Location

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Boog Warner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-119dbb1f.zip[Gummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Boog Warner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-119dbb1f.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Boog Warner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-119dbb1f.zip[VerifierBug.class]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Boog Warner\Cookies\boog [email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Boog Warner\Cookies\boog [email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Boog Warner\Local Settings\Temp\Rar$EX02.032\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Boog Warner\Local Settings\Temp\Rar$EX02.860\SmitfraudFix\Process.exe
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe]
Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[setup233.exe][td.exe]
Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[sys_ai_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe[wmedia_bbi8015.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe]
Virus:Trj/Downloader.OE Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][dp-k13w13.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][IEDRIVER.EXE]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][sx.htm]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][ieupdate.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[setup233.exe][td.exe]
Adware:Adware/BrowserAid Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[dist1_1_00.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[SaveInstCsSm.exe]
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[ezStub.exe]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[sys_ai_client_loader.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[ClrSchP071.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe[wmedia_bbi8015.exe]
Spyware:Cookie/Diglnk Not disinfected C:\Documents and Settings\LocalService\Cookies\local [email protected][2].txt
Adware:Adware/Qoologic Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun2.exe
Spyware:Cookie/Diglnk Not disinfected C:\Documents and Settings\NetworkService\Cookies\network [email protected][1].txt
Adware:Adware/Qoologic Not disinfected C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun2.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Adware:adware/delfinmedia Not disinfected C:\keys.ini
Potentially unwanted tool:Application/Processor Not disinfected C:\My Downloads\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\My Downloads\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\My Downloads\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/Zango Not disinfected C:\Program Files\Common Files\csshare\plugins0942\npclntax.dll
Adware:Adware/CWS.Searchmeup Not disinfected C:\Program Files\Common Files\svchost.exe
Adware:Adware/Zango Not disinfected C:\Program Files\Netscape\Netscape 6\Plugins\npclntax.dll
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-18\Dc1\system.dll
Adware:Adware/Mytoolbar Not disinfected C:\RECYCLER\S-1-5-18\Dc1\Update.exe~
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.exe.temp
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\aukxrkki.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\bqeqnupi.dll
Adware:Adware/RegistryCleaner Not disinfected C:\WINDOWS\system32\ctpmon.exeddwuuv
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\system32\drivera.dll
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\system32\drivera.exe
Adware:adware/keenvalue Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\duesxafl.dll
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\emxcwhgn.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fvbhysdi.dll
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\jybnrqqp.dll
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\kenbxfin.dll
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\kernels1118.exepbomdr
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\kxdwhjnj.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lbibippo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\lnxwfdxu.dll
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\system32\lsasss.exeqrjaty
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\modbooid.dll
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\system32\monterreya_unknown.exe
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\mpkoutps.dll
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\nereuxsu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nuhlosoh.dll
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\oohexuwp.dll
Potentially unwanted tool:Application/ActivityMon Not disinfected C:\WINDOWS\system32\out.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qjthjinv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\rlpfccgw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\sktqjshf.dll
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\tqydgljh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\uxlauaqm.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vrqjfews.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\wqhlqpme.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\wrnxtoys.exe
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\wvbrqrte.dll
Virus:Trj/Agent.EGK Disinfected C:\WINDOWS\system32\xhjlnqfa.dll
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\xjjhtiuu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xlxifkvi.dll






Logfile of HijackThis v1.99.1
Scan saved at 4:31:12 AM, on 3/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {18C00756-973B-4183-862B-AED976378F15} - C:\WINDOWS\System32\nnnnmmn.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: www.contentdiscount.info
O15 - Trusted Zone: www.extremeaccess.info
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay11...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1173684017218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3707AD07-A600-4578-AD84-8B684D7FB695}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{809E2A31-34EE-4178-BB79-9D83DCCF2B66}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: Winmsc - ms3d2a43d1.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Cjknbo32.dll (file missing)
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#28
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: (no name) - {18C00756-973B-4183-862B-AED976378F15} - C:\WINDOWS\System32\nnnnmmn.dll (file missing)
O15 - Trusted Zone: www.contentdiscount.info
O15 - Trusted Zone: www.extremeaccess.info
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: Winmsc - ms3d2a43d1.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Cjknbo32.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe
    C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun2.exe
    C:\keys.ini
    C:\My Downloads\SDFix.exe
    C:\My Downloads\SmitfraudFix
    C:\Program Files\Common Files\csshare\plugins0942\npclntax.dll
    C:\Program Files\Common Files\svchost.exe
    C:\Program Files\Netscape\Netscape 6\Plugins\npclntax.dll
    C:\SDFix
    C:\WINDOWS\kwv2.dat
    C:\WINDOWS\msbb.exe.temp
    C:\WINDOWS\system32\aukxrkki.dll
    C:\WINDOWS\system32\bqeqnupi.dll
    C:\WINDOWS\system32\ctpmon.exeddwuuv
    C:\WINDOWS\system32\drivera.dll
    C:\WINDOWS\system32\drivera.exe
    C:\WINDOWS\system32\drivers\etc\hosts.bho
    C:\WINDOWS\system32\duesxafl.dll
    C:\WINDOWS\system32\emxcwhgn.dll
    C:\WINDOWS\system32\fvbhysdi.dll
    C:\WINDOWS\system32\jybnrqqp.dll
    C:\WINDOWS\system32\kenbxfin.dll
    C:\WINDOWS\system32\kernels1118.exepbomdr
    C:\WINDOWS\system32\kxdwhjnj.dll
    C:\WINDOWS\system32\lbibippo.dll
    C:\WINDOWS\system32\lnxwfdxu.dll
    C:\WINDOWS\system32\lsasss.exeqrjaty
    C:\WINDOWS\system32\modbooid.dll
    C:\WINDOWS\system32\monterreya_unknown.exe
    C:\WINDOWS\system32\mpkoutps.dll
    C:\WINDOWS\system32\nereuxsu.dll
    C:\WINDOWS\system32\nuhlosoh.dll
    C:\WINDOWS\system32\oohexuwp.dll
    C:\WINDOWS\system32\out.dll
    C:\WINDOWS\system32\Process.exe
    C:\WINDOWS\system32\qjthjinv.dll
    C:\WINDOWS\system32\rlpfccgw.dll
    C:\WINDOWS\system32\sktqjshf.dll
    C:\WINDOWS\system32\tqydgljh.dll
    C:\WINDOWS\system32\uxlauaqm.dll
    C:\WINDOWS\system32\vrqjfews.dll
    C:\WINDOWS\system32\wqhlqpme.dll
    C:\WINDOWS\system32\wrnxtoys.exe
    C:\WINDOWS\system32\wvbrqrte.dll
    C:\WINDOWS\system32\xhjlnqfa.dll
    C:\WINDOWS\system32\xjjhtiuu.dll
    C:\WINDOWS\system32\xlxifkvi.dll


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#29
paco_taco

paco_taco

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun2.exe moved successfully.
C:\keys.ini moved successfully.
C:\My Downloads\SDFix.exe moved successfully.
C:\My Downloads\SmitfraudFix moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Common Files\csshare\plugins0942\npclntax.dll
C:\Program Files\Common Files\csshare\plugins0942\npclntax.dll NOT unregistered.
C:\Program Files\Common Files\csshare\plugins0942\npclntax.dll moved successfully.
C:\Program Files\Common Files\svchost.exe moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Netscape\Netscape 6\Plugins\npclntax.dll
C:\Program Files\Netscape\Netscape 6\Plugins\npclntax.dll NOT unregistered.
C:\Program Files\Netscape\Netscape 6\Plugins\npclntax.dll moved successfully.
C:\SDFix\backups moved successfully.
C:\SDFix\backupreg moved successfully.
C:\SDFix moved successfully.
C:\WINDOWS\kwv2.dat moved successfully.
C:\WINDOWS\msbb.exe.temp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\aukxrkki.dll
C:\WINDOWS\system32\aukxrkki.dll NOT unregistered.
C:\WINDOWS\system32\aukxrkki.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\bqeqnupi.dll
C:\WINDOWS\system32\bqeqnupi.dll NOT unregistered.
C:\WINDOWS\system32\bqeqnupi.dll moved successfully.
C:\WINDOWS\system32\ctpmon.exeddwuuv moved successfully.
C:\WINDOWS\system32\drivera.dll unregistered successfully.
C:\WINDOWS\system32\drivera.dll moved successfully.
C:\WINDOWS\system32\drivera.exe moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.bho moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\duesxafl.dll
C:\WINDOWS\system32\duesxafl.dll NOT unregistered.
C:\WINDOWS\system32\duesxafl.dll moved successfully.
File/Folder C:\WINDOWS\system32\emxcwhgn.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fvbhysdi.dll
C:\WINDOWS\system32\fvbhysdi.dll NOT unregistered.
C:\WINDOWS\system32\fvbhysdi.dll moved successfully.
File/Folder C:\WINDOWS\system32\jybnrqqp.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\kenbxfin.dll
C:\WINDOWS\system32\kenbxfin.dll NOT unregistered.
C:\WINDOWS\system32\kenbxfin.dll moved successfully.
C:\WINDOWS\system32\kernels1118.exepbomdr moved successfully.
File/Folder C:\WINDOWS\system32\kxdwhjnj.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lbibippo.dll
C:\WINDOWS\system32\lbibippo.dll NOT unregistered.
C:\WINDOWS\system32\lbibippo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lnxwfdxu.dll
C:\WINDOWS\system32\lnxwfdxu.dll NOT unregistered.
C:\WINDOWS\system32\lnxwfdxu.dll moved successfully.
C:\WINDOWS\system32\lsasss.exeqrjaty moved successfully.
File/Folder C:\WINDOWS\system32\modbooid.dll not found.
C:\WINDOWS\system32\monterreya_unknown.exe moved successfully.
File/Folder C:\WINDOWS\system32\mpkoutps.dll not found.
File/Folder C:\WINDOWS\system32\nereuxsu.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nuhlosoh.dll
C:\WINDOWS\system32\nuhlosoh.dll NOT unregistered.
C:\WINDOWS\system32\nuhlosoh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\oohexuwp.dll
C:\WINDOWS\system32\oohexuwp.dll NOT unregistered.
C:\WINDOWS\system32\oohexuwp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\out.dll
C:\WINDOWS\system32\out.dll NOT unregistered.
C:\WINDOWS\system32\out.dll moved successfully.
C:\WINDOWS\system32\Process.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qjthjinv.dll
C:\WINDOWS\system32\qjthjinv.dll NOT unregistered.
C:\WINDOWS\system32\qjthjinv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rlpfccgw.dll
C:\WINDOWS\system32\rlpfccgw.dll NOT unregistered.
C:\WINDOWS\system32\rlpfccgw.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\sktqjshf.dll
C:\WINDOWS\system32\sktqjshf.dll NOT unregistered.
C:\WINDOWS\system32\sktqjshf.dll moved successfully.
File/Folder C:\WINDOWS\system32\tqydgljh.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\uxlauaqm.dll
C:\WINDOWS\system32\uxlauaqm.dll NOT unregistered.
C:\WINDOWS\system32\uxlauaqm.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vrqjfews.dll
C:\WINDOWS\system32\vrqjfews.dll NOT unregistered.
C:\WINDOWS\system32\vrqjfews.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wqhlqpme.dll
C:\WINDOWS\system32\wqhlqpme.dll NOT unregistered.
C:\WINDOWS\system32\wqhlqpme.dll moved successfully.
C:\WINDOWS\system32\wrnxtoys.exe moved successfully.
File/Folder C:\WINDOWS\system32\wvbrqrte.dll not found.
File/Folder C:\WINDOWS\system32\xhjlnqfa.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xjjhtiuu.dll
C:\WINDOWS\system32\xjjhtiuu.dll NOT unregistered.
C:\WINDOWS\system32\xjjhtiuu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xlxifkvi.dll
C:\WINDOWS\system32\xlxifkvi.dll NOT unregistered.
C:\WINDOWS\system32\xlxifkvi.dll moved successfully.

Created on 03/31/2007 23:27:14






Logfile of HijackThis v1.99.1
Scan saved at 11:28:37 PM, on 3/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\lxcycoms.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay11...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1173684017218
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3707AD07-A600-4578-AD84-8B684D7FB695}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{809E2A31-34EE-4178-BB79-9D83DCCF2B66}: NameServer = 85.255.116.25,85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\System32\lxcycoms.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP