Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijack this log [RESOLVED]


  • This topic is locked This topic is locked

#1
simplicity

simplicity

    Member

  • Member
  • PipPip
  • 21 posts
my computer has been running slow lately... i have anti virus protection and tried programs such as adaware se, spy sweeper, and spybot.

can someone check this over for me? thanks in advance =)


Logfile of HijackThis v1.98.2
Scan saved at 9:43:34 PM, on 4/7/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [AutoLoaderotqr1ISTPIWO] "C:\WINDOWS\SYSTEM\ICSCJI32.EXE" /HideUninstall /PC="CP.BYZ"
O4 - HKLM\..\Run: [AutoLoaderotqd1ISTPIWO] "C:\WINDOWS\SYSTEM\PDBLL.EXE"
O4 - HKLM\..\Run: [oE9X36P] PDBLL.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Zpq7RWj7U] TSPIS400.EXE
O4 - HKCU\..\Run: [MFCD30] C:\WINDOWS\SYSTEM\MFCD30.EXE
O4 - HKCU\..\Run: [RASAPI32] C:\WINDOWS\SYSTEM\RASAPI32.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
The first thing we need to tackle is to get you updated to the newest version of HijackThis.Please goHere and download the newest version 1.99.1. Please be sure to save it to a permanent directory, such as C:\Prgram Files\HJT.

Running HJT from your "unzipped' folder, your desktop or a temp folder is not a good idea, as the backups that HJT creates while being used may not be saved.

It is late at night, so I will keep an eye out tomorrow for you to post a new log from the updated version of HJT! :tazz:
  • 0

#3
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
thanks ^^
this is the new log.

Logfile of HijackThis v1.99.1
Scan saved at 3:30:26 PM, on 4/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [AutoLoaderotqr1ISTPIWO] "C:\WINDOWS\SYSTEM\ICSCJI32.EXE" /HideUninstall /PC="CP.BYZ"
O4 - HKLM\..\Run: [AutoLoaderotqd1ISTPIWO] "C:\WINDOWS\SYSTEM\PDBLL.EXE"
O4 - HKLM\..\Run: [oE9X36P] PDBLL.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Zpq7RWj7U] TSPIS400.EXE
O4 - HKCU\..\Run: [MFCD30] C:\WINDOWS\SYSTEM\MFCD30.EXE
O4 - HKCU\..\Run: [RASAPI32] C:\WINDOWS\SYSTEM\RASAPI32.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
  • 0

#4
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Let's take this in a couple of steps if you don't mind. I want to tackle the viruses first, and then we'll go into HJT and remove any other problems left over!

1. Please update, configure, and re-run Ad-aware and Spybot S&D as below:
Make sure you're using the latest version of Ad-aware(Ad-aware SE 1.05) If you're using an older version, download Ad-aware SE Personal 1.05 and install it.

Before scanning with Ad-aware SE Free:
Run a FULL adaware scan using the following configuration below
  • Update
    • Select Check for updates.
    • Then Connect and download SE1R28 16.02.2005 .
  • Click Start
  • Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.
  • It will list malware files and registry keys. Click Next.
  • Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.
  • It will ask for verification of checked items-. Choose OK.
  • Close Ad-Aware, Shut down and reboot your system.
2. Download and Install Spybot S&D, accepting the Default Settings
(Please ensure you have version 1.3 final.)
Home - The home of Spybot-S&D!: http://www.safer-networking.org/
Here is a nice Tutorial http://www.safer-net...p?page=tutorial
  • Go to Start > Programs >Spybot Search & Destroy and choose 'Spybot S&D'
  • Close ALL windows except Spybot S&D
  • Click the button 'Search for Updates' and download and install the Updates.
  • Next click the button 'Check for Problems'
  • When Spybot is complete, it will be showing 'RED' entries BLACK entries and GREEN entries in the window
  • Make sure there is a check mark beside the RED entries ONLY.
  • Choose Fix Selected Problems and allow Spybot to fix the RED entries.
  • REBOOT
3. Also, run at least 2 of these online virus scans:

Housecall<<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan<<<Accept default settings, save and post the log
RAV online scan<<<Add a check by 'Autoclean', leave everything else as is.
eTrust Antivirus Web Scan<<<'Cure' whatever is found, then delete if unsuccessful
Bitdefender ScanOnline<<<Place a check by everything under 'Scan Options'.
Command on Demand

4. Also run an online trojan scan here: http://www.trojanscan.com/
Reboot when finished.

5. Re-run HijackThis and post the new log.
  • 0

#5
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
this is the new hijack this log and the panda activescan results

Incident Status Location

Virus:Trj/Downloader.ABE Disinfected Operating system
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM\swin32.dll
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dealhlpr.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\retpdat32.xml
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Virus:Trj/Downloader.AEE Disinfected Operating system
Adware:Adware/PowerStrip No disinfected C:\WINDOWS\pgtaff?.bin
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\SYSTEM\LMF32.DLL
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\clueacct.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\crtdial.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\wuaelind.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\xen0dal.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\SWin32.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\adstartup.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\modgxyz.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\adupdater.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\pro3dv2.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\qdvml.exe
Virus:Trj/Downloader.AQI Disinfected C:\WINDOWS\SYSTEM\oipdefui.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\rnrebdvd.exe
Virus:Trj/Downloader.AAU Disinfected C:\WINDOWS\SYSTEM\rsaxpand.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\ksui400.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\mbstilse.exe
Virus:Trj/Downloader.AMT Disinfected C:\WINDOWS\SYSTEM\atlrm24f.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM\winupdtl.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\InstaFinder_inst.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM\instFindtvmk38megaV2.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM\winupdt.exe
Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\SYSTEM\setup_silent_17307.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\cmuerold.exe
Virus:Trj/Downloader.AQI Disinfected C:\WINDOWS\SYSTEM\vfpshl.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\wpwrch.exe
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\SYSTEM\awf0dal.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\TEMP\AutoUpdate1\auto_update_install.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\TEMP\AutoUpdate1\setup.inf
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\TEMP\SskUpdater.exe
Spyware:Spyware/Searchcentrix No disinfected C:\WINDOWS\Downloaded Program Files\instafin.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\BYVNX2CI\install_1000[1].exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\EFKJBGTO\AutoUpdaterInstaller[1].exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\EFKJBGTO\bannerbottom1[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\EFKJBGTO\bannerbottom2[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\SHAN09E3\bannertop2[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\SHAN09E3\navigation[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\SHAN09E3\affiliates[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\SHAN09E3\bannerbottom1[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\4DYZOHQB\bannertop1[1].htm
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\4DYZOHQB\bannerbottom2[1].htm
Adware:Adware/PortalScan No disinfected C:\WINDOWS\pgtaff.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dealhlpr.dll
Virus:Bck/Agent.K Disinfected C:\WINDOWS\xezi.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhsvr.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhbrwsr.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhp.dll
Virus:Trojan Horse Disinfected C:\WINDOWS\Helper100.dll
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhupdt.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\dhp2.dll
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Virus:Trj/Downloader.AEE Disinfected C:\RECYCLED\Dc2356\backups\backup-20050407-212600-374.inf

Logfile of HijackThis v1.99.1
Scan saved at 3:16:59 PM, on 4/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [AutoLoaderotqr1ISTPIWO] "C:\WINDOWS\SYSTEM\ICSCJI32.EXE" /HideUninstall /PC="CP.BYZ"
O4 - HKLM\..\Run: [AutoLoaderotqd1ISTPIWO] "C:\WINDOWS\SYSTEM\PDBLL.EXE"
O4 - HKLM\..\Run: [oE9X36P] PDBLL.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Zpq7RWj7U] TSPIS400.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#6
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
You may want to print these instructions or save them to a NotePad file on your desktop to make it easier for you to follow each step in order!

1. Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\SYSTEM\LMF32.DLL
C:\WINDOWS\SYSTEM\ICSCJI32.EXE
C:\WINDOWS\SYSTEM\PDBLL.EXE
C:\WINDOWS\System\Restore\StateMgr.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

2. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
  • R3 - Default URLSearchHook is missing
  • O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32.DLL
  • O4 - HKLM\..\Run: [AutoLoaderotqr1ISTPIWO] "C:\WINDOWS\SYSTEM\ICSCJI32.EXE" /HideUninstall /PC="CP.BYZ"
  • O4 - HKLM\..\Run: [AutoLoaderotqd1ISTPIWO] "C:\WINDOWS\SYSTEM\PDBLL.EXE"
  • O4 - HKLM\..\Run: [oE9X36P] PDBLL.EXE
  • O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
  • O4 - HKCU\..\Run: [Zpq7RWj7U] TSPIS400.EXE
Now close all windows other than HiJackThis, then click Fix Checked. After that, reboot.

3. Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.

4. Please post a fresh HJT log here in a reply, so I can see how things look now!
  • 0

#7
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
heres the new log :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 6:39:33 PM, on 4/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#8
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Congratulations! :tazz: Your log is clean! ;)

While your HJT log is now clean, there is another step that needs to be taken. There will be further instruction soon!

Thanks for being patient!

Edited by ~Kat~, 14 April 2005 - 06:31 PM.

  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Kat did a great job on helping you clean your system, now we're going to use Killbox to delete the files found by ActiveScan that were not disinfected.

I HIGHLY recommend printing this out, so that you can put a check next to the file paths that you put into killbox so that you're sure to get them all!

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\SYSTEM\swin32.dll
C:\WINDOWS\dealhlpr.dll
C:\WINDOWS\SYSTEM\retpdat32.xml
C:\WINDOWS\pgtaff?.bin
C:\WINDOWS\SYSTEM\LMF32.DLL
C:\WINDOWS\SYSTEM\clueacct.exe
C:\WINDOWS\SYSTEM\crtdial.exe
C:\WINDOWS\SYSTEM\wuaelind.exe
C:\WINDOWS\SYSTEM\xen0dal.exe
C:\WINDOWS\SYSTEM\SWin32.dll
C:\WINDOWS\SYSTEM\adstartup.exe
C:\WINDOWS\SYSTEM\modgxyz.exe
C:\WINDOWS\SYSTEM\adupdater.exe
C:\WINDOWS\SYSTEM\pro3dv2.exe
C:\WINDOWS\SYSTEM\qdvml.exe
C:\WINDOWS\SYSTEM\rnrebdvd.exe
C:\WINDOWS\SYSTEM\ksui400.exe
C:\WINDOWS\SYSTEM\mbstilse.exe
C:\WINDOWS\SYSTEM\winupdtl.exe
C:\WINDOWS\SYSTEM\InstaFinder_inst.exe
C:\WINDOWS\SYSTEM\instFindtvmk38megaV2.dll
C:\WINDOWS\SYSTEM\winupdt.exe
C:\WINDOWS\SYSTEM\setup_silent_17307.exe
C:\WINDOWS\SYSTEM\cmuerold.exe
C:\WINDOWS\SYSTEM\wpwrch.exe
C:\WINDOWS\SYSTEM\awf0dal.exe
C:\WINDOWS\TEMP\AutoUpdate1\auto_update_install.exe
C:\WINDOWS\TEMP\AutoUpdate1\setup.inf
C:\WINDOWS\TEMP\SskUpdater.exe
C:\WINDOWS\Downloaded Program Files\instafin.dll
C:\WINDOWS\pgtaff.exe
C:\WINDOWS\dealhlpr.dll
C:\WINDOWS\dhsvr.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\dhp.dll
C:\WINDOWS\dhupdt.exe
C:\WINDOWS\dhp2.dll
C:\Program Files\AIM\Sysfiles\WxBug.EXE


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

After it restarts, please use Windows Explorer to navigate to this folder (in bold) and DELETE it:

C:\Program Files\cxtpls
  • 0

#10
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
here is my new hijack this log after restoring the statemgr.exe
and you don't need to apologize, it wasn't your fault =)

btw, how do I delete this file? C:\Program Files\cxtpls
I can't seem to find it using the search for files and folders :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 9:32:14 PM, on 4/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\AU10TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au10setp.exe 3
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

Advertisements


#11
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Thanks Simplicity for understanding and patience!

Go to Start>Search and then under the box where you enter the file name, scroll down below that and click on "More advanced options". There..make sure ALL of the first four options are CHECK marked. Then, enter the file name, and try searching again. If it's not there, then that is a GOOD thing!! :tazz:
  • 0

#12
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
hmm. i can't find it when searching for it...
but i tried looking at start>run and i found it, except it was empty :tazz:
  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's good that it was empty - it's just a folder that used to house adware/malware It's not a huge deal, just leftover clutter :tazz:

Edited by bananafanafo, 14 April 2005 - 08:33 PM.

  • 0

#14
simplicity

simplicity

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
i see ^_^. thanks for all your help.
  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
System running good?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP