My other computer is now infected

I've already posted the log for one of my computers, thought i'd figure out whats wrong with this one too

Logfile of HijackThis v1.99.1
Scan saved at 12:47:12 PM, on 4/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINDOWS\System32\haplbe\dgqbcj.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\gwdu\xcdin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuqnoqiq\ejndpji.exe
C:\WINDOWS\system32\wvmlkk\auhbkwf.exe
C:\WINDOWS\System32\mptbyr\ufkkqrfe.exe
C:\WINDOWS\system32\lkppvn.exe
C:\WINDOWS\system32\gah95on6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\program files\comcast\security manager\app\SecurityManager.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsn6A5.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C4F167F2-502D-6D2F-3EF8-D9F86D522149} - C:\WINDOWS\System32\chxwpjum\httupwre.dll
O2 - BHO: AuthBHO.cBHO - {E434D3C7-A673-4100-8140-79C020945017} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: Security Manager Popup Blocker - {53829F91-1B06-4DB9-B13E-812A986169F9} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [q32X36U] dmlrstart.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [towfezv] C:\WINDOWS\Lbczxs.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Security Manager] C:\Program Files\Comcast\Security Manager\app\SecurityManager.exe
O4 - HKLM\..\Run: [ejndpji] C:\WINDOWS\System32\wuqnoqiq\ejndpji.exe
O4 - HKLM\..\Run: [auhbkwf] C:\WINDOWS\system32\wvmlkk\auhbkwf.exe
O4 - HKLM\..\Run: [ufkkqrfe] C:\WINDOWS\System32\mptbyr\ufkkqrfe.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [dgqbcj] C:\WINDOWS\System32\haplbe\dgqbcj.exe
O4 - HKLM\..\Run: [xcdin] C:\WINDOWS\System32\gwdu\xcdin.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lkppvn.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\dave\LOCALS~1\Temp\BundleLite_westfrontier1001.exe run
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [b0t7RWYmO] doshrui.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DealHelperDown] "C:\WINDOWS\SYSTEM32\dealhelper1.exe"
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{968369A5-97B5-4207-A806-CFE65CDCE57B}: Domain = combined.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{968369A5-97B5-4207-A806-CFE65CDCE57B}: NameServer = 207.155.184.72,207.155.183.72
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: dgqbcjhaplbe - Unknown owner - C:\WINDOWS\System32\haplbe\dgqbcj.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSER~1.EXE (file missing)
O23 - Service: xcdingwdu - Unknown owner - C:\WINDOWS\System32\gwdu\xcdin.exe

Edited by dyeforlyf, 23 April 2005 - 10:53 AM.

Yes Sir,you have quite the army running around in there!!

Can I see a link to your other post if these PCs are Networked!!??

Also,how many user names are on this PC?

Lets start with a Hard Slap in the Buggers Face!!!

Use the link below and follow the Steps that Calamity Jane has laid out to Download,Install and Update Kaspersky AntiVirus,Microsoft AntiSpyware and Hoster!
http://forums.subrat...?showtopic=3466

Now I am not sure but I dont see an Antivirus running on this PC,I see the Services for Mcafee but there is nothing running in the Processes to say the AV is Active!

Lets do this just to be Safe:

1.Download Hoster from the Link and Run just as Instructed!

2.Download Microsoft AntiSpyware,Install and Update it Immediatly!

3.Download Kaspersky but DO NOT install it yet!

4.Click Start>>Click Run>>Type in Msconfig and Click OK>>Click the Startup Tab>>Uncheck the boxes by anything Mcafee>>Click Apply>>Click OK>>Follow Prompts to restart!

5.Once Restarted,Install and Update Kaspersky just as Instructed in the Link!
(If Kaspersky wont Update,Run Hoster again!!)

6.Restart in Safe Mode(here are instructions if you need them)
http://service1.syma...src=sec_doc_nam

7.In Safe Mode,Open both Kaspersky and Microsoft AntiSpyware but dont run them yet!

8.Open the Task Manager(Right Click the Taskbar and Select Task Manager)

9.In the Task Manager>>Click the Processes Tab>>Click the Image Name Tab>>Locate Explorer.exe and Rundll32.exe and Right Click on the Name and Select End Process!
When you End Process on Explorer.exe,the TaskBar and the Desktop will Disappear,this is Normal so dont panic!

10.Now,Scan the PC with Kaspersky just as Described in the Link,delete all it finds!!
(This Scan takes a good 3 or 4 hours to Complete)

11.Close Kaspersky out,Now Run Microsoft AntiSpyware just as Described in the link!
Delete all it Finds!

12.Close out Microsoft AntiSpyware and Use the Task Manager to Restart the PC!

13.Restart in Normal Mode,Scan with both Kaspersky and Microsoft Antispyware again,Save any reports they produce!(No Need to kill any processes this time!)

14.Scan the PC with HijackThis again and Post those results along with any reports from the other 2!

For the Size Infection you have,this is the Most Thorough Start I know!!

Post back when all is Completed!

Edited by Cretemonster, 24 April 2005 - 07:13 AM.

#1
dyeforlyf

Posted 23 April 2005 - 10:53 AM

Advertisements

#2
Wizard

Posted 24 April 2005 - 07:10 AM

#3
dyeforlyf

Posted 24 April 2005 - 04:19 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us