Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HiJackThis Log[RESOLVED]

Started by rusty38dei , May 10 2005 09:13 PM

This topic is locked

#46
Michelle

Posted 15 May 2005 - 11:51 AM

Malware Removal Goddess

Retired Staff
8,928 posts

You're not stupid! Run HiJackThis and follow the instructions in #42.

#47
rusty38dei

Posted 15 May 2005 - 04:22 PM

Member

Topic Starter
Member
85 posts

Logfile of HijackThis v1.99.1
Scan saved at 6:20:54 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GILESF~1\LOCALS~1\Temp\Rar$EX00.032\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - http://www.racelm.co...5turboDMCrs.CAB
O16 - DPF: {8F8F1EF4-92D6-4C59-B5B4-E6E5E0284676} (OLRComm.Communications) - http://www.onlinerac...ing/OLRComm.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC1E9F72-AFBE-4C67-B6E1-AB992035E562} (CFM2005TurboDMCrsnorun.UserControl1) - http://www.racelm.co...oDMCrsnorun.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

#48
Michelle

Posted 15 May 2005 - 05:18 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Your log looks fine.

One more thing I want you to do to make sure that your problems now are just from missing files and not malware.

I need you to download MWav

This scan might take around 3+ hours to finish when set to scan everything. I need you to run MWav, put a check next to below items before scanning:

*Memory
*Startup Folders
*Drive - All Local Drives
*Folder - then click "browse" to change the directory to C: (default is C:\Windows)
*Registry
*System Folders
*Services
*Include Sub-Directory
*Scan All Files

Please make sure ALL of these are checked, then press the scan button. This will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

Highlight the portion of the scan that lists infected items and hold CTRL + C to Copy then paste it here. The whole log will be extremely big so there is no way to copy the whole thing. I just need the infected items list.

#49
rusty38dei

Posted 15 May 2005 - 06:57 PM

Member

Topic Starter
Member
85 posts

Ok thanks for your help, I am glad you helped me out with this, and I will do as I said I would with paypal. Just let me know when and what email addy is. Thanks again, Rusty

#50
Michelle

Posted 15 May 2005 - 10:41 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Rusty, you do not have to donate anything, so please do not feel obligated to do so. I'm happy to help!

If you would really like to send a donation for the help you received, then go to post #2, look at Kat's signature and click on "Victory Junction Gang Camp" and donate in yours, kat's or my name to those children.

Like I said, you are not required to donate anything and don't feel that you have to. :tazz:

#51
rusty38dei

Posted 16 May 2005 - 05:13 AM

Member

Topic Starter
Member
85 posts

O no I wanna donate something for the help I have recieved, I sure couldnt have done it without you, and besides its the "right" thing to do, So I would be glad to donate 20 bucks. I also cant find on this mile long file that MWav where the infected list is.............LOL this thing is like HUGE like you said it would be. Ill put 10 dollars in each of your names to VJG. I am a huge race fan also.....Love what Kyle and Patty have done for these kids. We all have so many blessings to be thankful for, yet we live life day to day without hardly ever giving it any thought. Anyway. Thanks again, and I will do what I said I was going to do. Talk to you later , Rusty38dei

#52
Michelle

Posted 16 May 2005 - 10:24 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Well, that's sweet of you to do! Thank you :tazz:

The infected items list should be towards the end of the log. When you were running the scan did you see at the bottom of the window where it was listing the infected stuff? Those are the file paths/names I'm needing. It's definitely in that log somewhere lol

#53
rusty38dei

Posted 16 May 2005 - 06:30 PM

Member

Topic Starter
Member
85 posts

Sun May 15 21:35:22 2005 => System found infected with MyBar Spyware/Adware ({014da6c9-189f-421a-88cd-07cfe51cff10})! Action taken: No Action Taken.
Sun May 15 21:35:22 2005 => File System Found infected by "MyBar Spyware/Adware" Virus. Action Taken: No Action Taken.

Sun May 15 21:35:22 2005 => System found infected with MyBar Spyware/Adware ({0494d0d9-f8e0-41ad-92a3-14154ece70ac})! Action taken: No Action Taken.
Sun May 15 21:35:22 2005 => File System Found infected by "MyBar Spyware/Adware" Virus. Action Taken: No Action Taken.

Sun May 15 21:35:23 2005 => Offending value found in HKLM\Software\FunWebProducts !!!
Sun May 15 21:35:23 2005 => System found infected with FunWebProducts Spyware/Adware! Action taken: No Action Taken.
Sun May 15 21:35:23 2005 => File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken.

Sun May 15 21:35:23 2005 => Offending value found in HKLM\Software\myway !!!
Sun May 15 21:35:23 2005 => System found infected with myway Spyware/Adware! Action taken: No Action Taken.
Sun May 15 21:35:23 2005 => File System Found infected by "myway Spyware/Adware" Virus. Action Taken: No Action Taken.

Sun May 15 21:35:24 2005 => Offending value found in HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\my way speedbar uninstall !!!
Sun May 15 21:35:24 2005 => System found infected with my way speedbar Spyware/Adware! Action taken: No Action Taken.
Sun May 15 21:35:24 2005 => File System Found infected by "my way speedbar Spyware/Adware" Virus. Action Taken: No Action Taken.

I sure hope this is what you need, I have noticed my puter is kinda acting up again....Taking a while to open programs........Maybe its just me though

#54
Michelle

Posted 16 May 2005 - 06:43 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Post another HiJackThis log, please.

#55
rusty38dei

Posted 16 May 2005 - 06:44 PM

Member

Topic Starter
Member
85 posts

Logfile of HijackThis v1.99.1
Scan saved at 8:44:35 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ABC\abc.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GILESF~1\LOCALS~1\Temp\Rar$EX00.218\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - http://www.racelm.co...5turboDMCrs.CAB
O16 - DPF: {8F8F1EF4-92D6-4C59-B5B4-E6E5E0284676} (OLRComm.Communications) - http://www.onlinerac...ing/OLRComm.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC1E9F72-AFBE-4C67-B6E1-AB992035E562} (CFM2005TurboDMCrsnorun.UserControl1) - http://www.racelm.co...oDMCrsnorun.CAB
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

#56
Michelle

Posted 16 May 2005 - 06:53 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Well I see your NVIDIA file is back! Did you re-install the drivers??

Your log looks fine.

Do a search on your system and see if you can locate any of these folders (or files even) Let me know anything you find with these or similar names (do not delete anything yet though:

myway
MyBar
FunWebProducts

#57
rusty38dei

Posted 16 May 2005 - 06:58 PM

Member

Topic Starter
Member
85 posts

Yes I reinstalled drivers for graphics card, and just did a search on the 3 items. Nothing found on either of the 3

#58
rusty38dei

Posted 16 May 2005 - 07:00 PM

Member

Topic Starter
Member
85 posts

Be back in about 30 min. banana, gotta get a shower. Ill make sure I get my donation when I get back. Once again thanks for your help. Once we get this taken care of can I start deleting some of these programs. The ones I downloaded recently to find all this spyware/malware stuff. Ill make sure to keep my Panda

#59
Michelle

Posted 16 May 2005 - 07:01 PM

Malware Removal Goddess

Retired Staff
8,928 posts

There are some leftover files from FunWebProducts and MyWay, but MWav does not list where they are. The main files are gone, these are just remnants.

#60
Michelle

Posted 16 May 2005 - 07:03 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Feel free to delete whatever programs I have had you download, however, you may want to consider keeping Ewido. It's a realy great program. And you will need to re-install Panda otherwise it isn't doing you any good!