[gemee]

Please help me get the crap out of my computer;


Logfile of HijackThis v1.99.1
Scan saved at 3:55:56 PM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\system32\jrannk.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
c:\windows\system32\nbjkjh.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\carol\Local Settings\Temp\Temporary Internet Files\Content.IE5\RV9LXXPA\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\carol\Application Data\Mozilla\Profiles\default\d48dpp8z.slt\prefs.js)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\jrannk.exe reg_run
O4 - HKLM\..\Run: [csjqav] c:\windows\system32\nbjkjh.exe r
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a0v3RTGqS] aclmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: strings.exe
O4 - Global Startup: Wireless-B USB Network Adapter WLAN Monitor.lnk = C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\mcv1_0.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: NICSer_WUSB11 - Unknown owner - C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Thank you for ANY advice!!

[Advertisements]

I'm desperate!!

[gemee]

I'm desperate!!

[Michelle]

I actually see a couple of nasty infections. Let's take care of the main one first:

Please download FindQoologic from here:
http://forums.net-in...=post&id=134981

Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

(let me know if you receive any kind of MSDOS error when running the program)

[gemee]

Thank you!!! I will go do as you say, and be right back with a log.

[gemee]

Here you go. I hope this is what you wanted to see;
BigFix.lnk
desktop.ini
knap.exe
strings.exe
Wireless-B USB Network Adapter WLAN Monitor.lnk

User Startup:
C:\Documents and Settings\carol\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nfyttgxq
<NO NAME> REG_SZ {27e31332-53f6-49bf-ae19-d124c799cfff}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

[Michelle]

Did you receive any kind of error message when running the program?

[Michelle]

It's missing the top half of the log, I need to see the whole thing.

[gemee]

Ok....I will copy the WHOLE log page...

[gemee]

This is the entire page;

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
BigFix.lnk
desktop.ini
knap.exe
strings.exe
Wireless-B USB Network Adapter WLAN Monitor.lnk

User Startup:
C:\Documents and Settings\carol\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nfyttgxq
<NO NAME> REG_SZ {27e31332-53f6-49bf-ae19-d124c799cfff}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

[gemee]

On the black page, before I got the printout of what I posted, I got this continuous message; "The System Can not Execute The Specific Program".

[Michelle]

Unfortunately it's not showing me what I need to see. So, please do this for me:

please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode, please double-click RKFiles.bat to run the program. It may take a while. When it is finished a windows should appear with a log.

Restart your computer in normal mode, and please post the entire contents of the logfile, which should be at c:\log.txt.

[gemee]

Ok, I will write down what you say, and then do it. Fingers crossed!!........

[gemee]

I tried to restart my computer 3 times in Safe Mode, and it would not do it. A menu came up for an instant, but disappeared. Should I shut my computer COMPETELY off, before trying this? I was attempting to go to Safe Mode from a re-start.

[Michelle]

You may be hitting F8 at the wrong time. Please shutdown your computer. Turn it back on and as soon as it starts to come on continue to tap the F8 key until the Safe Mode menu appears. Choose Safe Mode and hit enter.

[gemee]

ok, I was hitting it continually, from the time I rebooted. I will try again.