Log check please

Discussion in 'adware, spyware & hijack cleaning' started by fznanc, May 16, 2004.

Thread Status:
Not open for further replies.
  1. fznanc

    fznanc Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    3
    I've got this working pretty good, but could use some final cleanup help. Thanks !!

    Logfile of HijackThis v1.97.7
    Scan saved at 6:44:20 PM, on 5/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\docume~1\kurtod~1\locals~1\temp\u6O9H.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\docume~1\kurtod~1\locals~1\temp\Qn8.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\cabxjswr.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\System32\lexpps.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\WINDOWS\System32\ZqrS.exe
    C:\WINDOWS\System32\ZqrS.exe
    C:\Documents and Settings\Glenda Odom\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\plg0\AproposPlugin.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Yfwz.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [u6O9H] C:\docume~1\kurtod~1\locals~1\temp\u6O9H.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Qn8] C:\docume~1\kurtod~1\locals~1\temp\Qn8.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [osoU3pR] cabxjswr.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [hupih] C:\WINDOWS\hupih.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [edeb] C:\WINDOWS\edeb.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [aVSTeI] C:\docume~1\kurtod~1\locals~1\temp\aVSTeI.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1A527596-31A0-4EEF-9041-E473B88374E6}: NameServer =
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1A527596-31A0-4EEF-9041-E473B88374E6}: NameServer =
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi fznanc, and welcome.

    This line indicates a pepertrojan infection: O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Yfwz.exe which has to be removed first.

    Download and run this uninstaller to get rid of the pepertrojan (direct download link)
    http://www.memorywatcher.com/uninst.exe

    Doubleclick the uninst.exe and let it run. You must be connected to the internet for the tool to work, and allow the uninstaller to access the internet.
    It may take a few minutes before it finishes, then it will just close when it is done. (reboot your computer if prompted)

    -----
    Next, create a permanent folder for HijackThis, and move the HijackThis.exe file into that folder. HijackThis creates backups in the folder it is ran from, and running it from the desktop will scatter the backups all over it.

    Once you have done the above, then open Hijackthis, rescan, and place a check beside the following items.
    Close ALL windows except HijackThis, and click *Fix checked:

    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\plg0\AproposPlugin.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [u6O9H] C:\docume~1\kurtod~1\locals~1\temp\u6O9H.exe
    O4 - HKLM\..\Run: [Qn8] C:\docume~1\kurtod~1\locals~1\temp\Qn8.exe
    O4 - HKLM\..\Run: [osoU3pR] cabxjswr.exe
    O4 - HKLM\..\Run: [hupih] C:\WINDOWS\hupih.exe
    O4 - HKLM\..\Run: [edeb] C:\WINDOWS\edeb.exe
    O4 - HKLM\..\Run: [aVSTeI] C:\docume~1\kurtod~1\locals~1\temp\aVSTeI.exe

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...ab/emCraft1.cab

    Then boot your computer into safemode by tapping the F8 key just before windows begins to load.

    Find and delete the following folders highlighted in bold:
    C:\Program Files\SysAI
    C:\Program Files\TV Media
    C:\Program Files\AutoUpdate

    C:\Documents and Settings\yourusername\Local Settings\Temp\ <---and delete the contents of the temp folder (but not the temp folder itself)


    Then could you navigate to these files, zip up a copy of them, and submit the zipped files by email to This Email Address for analysis. Please include a brief note and the url to this thread in the body of the email so Derek will be able to find your thread. Thank you.
    cabxjswr.exe <--you will have to do a search for this one.
    C:\WINDOWS\hupih.exe
    C:\WINDOWS\edeb.exe

    The above files may be hidden: How to Unhide All Files and Folders

    Then do a FULL system scan at one of these on-line antivirus sites: Free Services

    Finally, follow Step 1 at this link for downloading and installing Spybot S&D and/or Adaware6: https://www.wilderssecurity.com/showthread.php?t=15913

    After the above is done, reboot your computer and do another scan with Hijackthis and post a new log here to be checked.

    Regards,

    snap
     
Thread Status:
Not open for further replies.