Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please review my log file


  • Please log in to reply

#1
dyeforlyf

dyeforlyf

    New Member

  • Member
  • Pip
  • 7 posts
Everytime i delete the letgohome stuff, it comes back. Please help

Logfile of HijackThis v1.99.1
Scan saved at 6:57:59 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\PIMP\Local Settings\Temporary Internet Files\Content.IE5\CTQRWXU3\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\L2MLM8~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\rm3ri8he548d0vthd.exe
O4 - HKLM\..\Run: [*faxxml] C:\WINDOWS\security\faxxml.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [*faxxml] C:\WINDOWS\security\faxxml.exe rerun
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [mll_mtf] C:\WINDOWS\System32\mll_mtf.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {6C23742B-2F16-4B19-8E1E-68AA427B09AE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6C23742B-2F16-4B19-8E1E-68AA427B09AE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {AB0BE29A-C0BE-4295-93A3-223C23584F2C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB0BE29A-C0BE-4295-93A3-223C23584F2C} - (no file) (HKCU)
O20 - AppInit_DLLs: 57vc48x65zeidc.dll
O20 - Winlogon Notify: faxxml - C:\DOCUME~1\PIMP\LOCALS~1\Temp\lmxxaf.dat
O20 - Winlogon Notify: javaun - C:\DOCUME~1\DWEBB~1\LOCALS~1\Temp\nuavaj.dat
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,350 posts
  • MVP
You have a tough one but let's see what we can do.


Get a copy of winsockxpfix.exe before you do anything. This is just a safety
item in case you can't get on the internet afterwards. You just run it and
things should work OK after it reboots your system.

http://www.iup.edu/h...net/winfix.shtm



Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.

Download and install Advanced Process Manipulator from:

http://www.diamondcs...p?page=products


Now shutdown and reboot into Safe Mode by tapping the F8 key when you see the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.

Run HijackThis and just do a Scan only. Check then Fix
Checked the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\L2MLM8~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\rm3ri8he548d0vthd.exe
O4 - HKLM\..\Run: [*faxxml] C:\WINDOWS\security\faxxml.exe
O4 - HKLM\..\RunOnce: [*faxxml] C:\WINDOWS\security\faxxml.exe rerun
O4 - HKCU\..\Run: [mll_mtf] C:\WINDOWS\System32\mll_mtf.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Global Startup: winlogin.exe
O9 - Extra button: Microsoft AntiSpyware helper - {6C23742B-2F16-4B19-8E1E-68AA427B09AE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6C23742B-2F16-4B19-8E1E-68AA427B09AE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {AB0BE29A-C0BE-4295-93A3-223C23584F2C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB0BE29A-C0BE-4295-93A3-223C23584F2C} - (no file) (HKCU)
O20 - AppInit_DLLs: 57vc48x65zeidc.dll
O20 - Winlogon Notify: faxxml - C:\DOCUME~1\PIMP\LOCALS~1\Temp\lmxxaf.dat
O20 - Winlogon Notify: javaun - C:\DOCUME~1\DWEBB~1\LOCALS~1\Temp\nuavaj.dat
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)



Wait 60 seconds and repeat the scan. Did any of the above come back? If so
leave HijackThis up and right click on the clock and select Task Manager. Then
Processes. Find Explorer.exe, right click on it and select End Process. The
desktop will disappear but HijackThis should still be there. IF you don't see
it switch to Applications in Task Manager and highlight it there then press
Switch To or just double click on it. Check and Fix Checked the above again.
Restart Explorer by Task Manager, File, New Task(Run), explorer.exe, OK.

Run a third HijackThis scan. Probably the two O20's will still be there and a few others. Leave it up. Start APM.exe (Start, Run, \apm\apm.exe, OK). In the top window find explorer.exe and highlight it. Now move to the bottom window and look for any of the files that are in the list above. Right click on them and select Unload DLL then when a little box comes up press the OK button. Press it as many times as it shows up. When it stops coming up look for other files within explorer. When you have them all then go back to the top and check winlogon the same way.

Check the returnees in HijackThis and Fix Checked.

Now run ccleaner.exe. On the first page, uncheck everything but the two lines
that have the word Temporary in them then Run Cleaner.


Reboot into normal mode and run another HijackThis log and send it to me. Let's
see how we did.

It's almost weekend for me so I probably won't get back to you before Monday.

If anything returns and you have a fast link or a friend with a fast link and a CD burner get mwave.exe from:

http://www.spywarein...wnload/mwav.exe and install and run it. It's the world's slowest program - will takes hours to finish - but it does a really good job of getting rid of stuff.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP