totally screwed computer

Discussion in 'adware, spyware & hijack cleaning' started by ejbjpb, Jul 8, 2004.

Thread Status:
Not open for further replies.
  1. ejbjpb

    ejbjpb Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    6
    My mom called me in to remove "virii" from her computer that her b/f claims i did... why isn't she checking the multitude of porn he's dl'ed.... sick stuff actually.... anyways, what's wrong with this picture? also i ran ad-aware, haven't had much co-op from IE in order to get spybot S&D, but i have spyblaster and cws shredder already run... run... heh. *hopes peiter's on*


    Logfile of HijackThis v1.98.0
    Scan saved at 11:53:46 PM, on 7/7/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\README~1\Manager 2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\amlivguu.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\WINDOWS\System32\clbhuocw.exe
    C:\WINDOWS\system32\services\12.exe
    C:\Documents and Settings\Patrice Bynum Sapp\Application Data\rncr.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Program Files\WebSiteViewer\121710.dlr
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Patrice Bynum Sapp\My Documents\downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cnt.rapidblaster.com/run.run?c=TQ26EKDE74B5KG36A98JJQ2GOQNHQV77&v=0.95
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1BAB625F-936D-719C-D350-6D550AA72E4F} - C:\WINDOWS\System32\iruix.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\T7923~1.ADE\MYDOCU~1\DOWNLO~1\Spybot\SDHelper.dll (file missing)
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll
    O2 - BHO: Download Kind Dupe - {7F37C995-4ADF-6DD9-DC3E-7A52141E808D} - C:\PROGRA~1\ACIDON~1\SEND BROWSE.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\system32\FWNToolbar.dll
    O3 - Toolbar: Stop Math - {36685BBC-F2DB-540B-AB41-2050421803AA} - C:\PROGRA~1\ACIDON~1\SEND BROWSE.dll
    O4 - HKLM\..\Run: [Hole Fast] C:\PROGRA~1\README~1\Manager 2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [knwoyspvf] C:\WINDOWS\System32\amlivguu.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Documents and Settings\All Users\Documents\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\DOWNLO~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
    O4 - HKCU\..\Run: [Dvsi] C:\WINDOWS\System32\clbhuocw.exe
    O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Patrice Bynum Sapp\Application Data\rncr.exe
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {2A91CEB1-37F5-424C-997C-4C38A3677CD8} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_2_EN_XP.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
     
    ejbjpb, Jul 8, 2004
    #1
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI ejbjpb

    First of all this entry:

    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"

    means: Ad-aware wants you to reboot so it can clean some
    nasties , before they have a chance to run.

    Pl.s go to Windows Update and get ALL critical downloads !

    First update or download CWShredder to version 1.59.1
    CWShredder (http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe)
    Use the Fix button and follow the instructions you will receive.

    check the following items in HIjackthis - close ALL windows\browsers except Hijackthis and click" Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cnt.rapidblaster.com/run.run...OQNHQV77&v=0.95
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll (file missing)

    O2 - BHO: (no name) - {1BAB625F-936D-719C-D350-6D550AA72E4F} - C:\WINDOWS\System32\iruix.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\T7923~1.ADE\MYDOCU~1\DOWNLO~1\Spybot\SDHelper.dll (file missing)
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll

    O2 - BHO: Download Kind Dupe - {7F37C995-4ADF-6DD9-DC3E-7A52141E808D} - C:\PROGRA~1\ACIDON~1\SEND BROWSE.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

    O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\system32\FWNToolbar.dll
    O3 - Toolbar: Stop Math - {36685BBC-F2DB-540B-AB41-2050421803AA} - C:\PROGRA~1\ACIDON~1\SEND BROWSE.dll
    O4 - HKLM\..\Run: [Hole Fast] C:\PROGRA~1\README~1\Manager 2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [knwoyspvf] C:\WINDOWS\System32\amlivguu.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
    O4 - HKCU\..\Run: [Dvsi] C:\WINDOWS\System32\clbhuocw.exe
    O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Patrice Bynum Sapp\Application Data\rncr.exe

    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\WINDOWS\wt\updater
    C:\WINDOWS\System32\amlivguu.exe
    C:\Program Files\ISTsvc
    C:\WINDOWS\mslagent\mslagent.exe <--Trojan !
    C:\WINDOWS\System32\clbhuocw.exe
    C:\Documents and Settings\Patrice Bynum Sapp\Application Data\rncr.exe

    Then reboot and use AdAware as described :
    HERE

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
    http://www.wilders.org/anti_trojans.htm

    run HJT again and pls. post a FRESH log. thanks.
     
    Marianna, Jul 8, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...