multiple problems with XP

  1. 23-05-2005  #1
    foucault
    foucault is offline Junior Member

    multiple problems with XP

    here is my hijackthis log:
    Thanks in advance

    ==============================

    Logfile of HijackThis v1.99.1
    Scan saved at 3:27:41 PM, on 5/23/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\fi49.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\hi\msnappau.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\winupdate32.exe
    C:\WINDOWS\System32\syst32.exe
    C:\WINDOWS\System32\d55nu618.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Foucault\Desktop\HijackThis.exe
    C:\Documents and Settings\Foucault\sfdgf.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ff] boj.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\hi\msnappau.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WIn32 Java DLLx] srtsr32.exe
    O4 - HKLM\..\Run: [winnt DNS ident] winupdate32.exe
    O4 - HKLM\..\Run: [AutoLoaderq9qq1IJjaKYO] "C:\WINDOWS\System32\wlnhlpr.exe" /HideDir /HideUninstall /PC="CP.AMS" /ShowLegalNote="nonbranded"
    O4 - HKLM\..\Run: [qm9W36U] wlnhlpr.exe
    O4 - HKLM\..\Run: [System Updates Dll] syst32.exe
    O4 - HKLM\..\Run: [d55nu618] C:\WINDOWS\System32\d55nu618.exe
    O4 - HKLM\..\RunServices: [ff] boj.exe
    O4 - HKLM\..\RunServices: [WIn32 Java DLLx] srtsr32.exe
    O4 - HKLM\..\RunServices: [winnt DNS ident] winupdate32.exe
    O4 - HKLM\..\RunServices: [System Updates Dll] syst32.exe
    O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\iwlo.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ff] boj.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [bDq6RWYpl] sesap32.exe
    O4 - HKCU\..\Run: [System Updates Dll] syst32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\RunServices: [System Updates Dll] syst32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{164ACDA7-C2E6-4233-A022-9F35D44CC97D}: NameServer = 61.1.96.69 61.1.96.71
    O17 - HKLM\System\CS1\Services\Tcpip\..\{164ACDA7-C2E6-4233-A022-9F35D44CC97D}: NameServer = 61.1.96.69 61.1.96.71
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINDOWS\fi49.exe
  2. 23-05-2005  #2
    HJThis
    HJThis is offline Senior Member
    Hello,foucault & Welcome

    Hmmm don't like this one ok lit's start with these 2 here.

    1)Go for free online Virus scans here:

    http://housecall.trendmicro.com/hou.../start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    2)Download ewido security suite from here… http://www.ewido.net/en/download/

    Update it’s database from here.. http://www.ewido.net/en/download/updates/
    Run a scan and let it clean the PC. Post a new hijackthis log when complete.

    NOTE there maybe an option to update from within the scanner not sure check but download the update just incase.

    3)After doing all of the above do this here

    popular programs for doing this, is a freeware program Called Crap Cleaner. Crap Cleaner is a single utility that lets you clear your Cookies, Internet Explorer History, Empty the Recycle Bin, Uninstall Programs, Clear Usage Tracks and much more. As well as this, it has an Advanced Registry Scanner. Using a program like this is one of the easiest methods.

    4)Then show us new logfile & any infor you think we need to know

    HGD

    Please do this work as soon as you can there is a bad Trojan on
    the PC lit's get after.
  3. 23-05-2005  #3
    HJThis
    HJThis is offline Senior Member
    Hi,foucault

    ARGH

    Before you do any of the above make sure to

    Please change the location of HijackThis.exe.
    Create a new folder in your C: Drive
    Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
    It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
    This way you can undo any changes if something goes wrong

    HGD
  4. 23-05-2005  #4
    foucault
    foucault is offline Junior Member
    Quote Originally Posted by HJThis
    Please change the location of HijackThis.exe.
    Create a new folder in your C: Drive
    Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
    It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
    This way you can undo any changes if something goes wrong

    HGD
    Thanks a ton, hgd

    but my comp hangs everytime i try either housecall or panda
  5. 23-05-2005  #5
    HJThis
    HJThis is offline Senior Member
    Hi,foucault

    Ok cool i was thinking it may happen so see if this helps.

    Click here to download eScan's mwav application. Double-click it to run it, select all local drives, select 'Scan All Files', press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply - assuming it finds something. Do NOT copy and paste the entire mwav log, only the text from the lower pane!

    NOTE this may not do the cleaning for us but lit's see
    what if anything it may find.

    HGD

    but please go on with the other stuff i posted for you.
  6. 24-05-2005  #6
    foucault
    foucault is offline Junior Member
    Thank you
    Here is my new log file.
    Please help, my comp has started shutting down without warning more now than ever before

    Thanks in Advance!

    ==============================

    Logfile of HijackThis v1.99.1
    Scan saved at 7:40:59 PM, on 5/24/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\fi49.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\hi\msnappau.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Hijack This\HijackThis.exe

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ff] boj.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\hi\msnappau.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WIn32 Java DLLx] srtsr32.exe
    O4 - HKLM\..\Run: [winnt DNS ident] winupdate32.exe
    O4 - HKLM\..\Run: [AutoLoaderq9qq1IJjaKYO] "C:\WINDOWS\System32\wlnhlpr.exe" /HideDir /HideUninstall /PC="CP.AMS" /ShowLegalNote="nonbranded"
    O4 - HKLM\..\Run: [qm9W36U] wlnhlpr.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [ff] boj.exe
    O4 - HKLM\..\RunServices: [WIn32 Java DLLx] srtsr32.exe
    O4 - HKLM\..\RunServices: [winnt DNS ident] winupdate32.exe
    O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\iwlo.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ff] boj.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [bDq6RWYpl] sesap32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\RunServices: [System Updates Dll] syst32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
    O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{164ACDA7-C2E6-4233-A022-9F35D44CC97D}: NameServer = 61.1.96.69 61.1.96.71
    O17 - HKLM\System\CS1\Services\Tcpip\..\{164ACDA7-C2E6-4233-A022-9F35D44CC97D}: NameServer = 61.1.96.69 61.1.96.71
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: ProcessEnumerator32 (pe32) - Unknown owner - C:\WINDOWS\fi49.exe
  7. 24-05-2005  #7
    HJThis
    HJThis is offline Senior Member
    Hi,foucault

    I had you download ewido security suite did you do & have you
    used it yes if no do it now if yes then do it again in Safe Mode
    lit it clean what it want's lit me know what it finds

    go in to Safe Mode run it but make sure you updated it first

    Make sure you can view hidden and system files: Instructions here


    Then Boot to safe mode: Instructions here

    again make sure you updated the scanner before you goto Safe Mode
    then scan all files/Drives & lit us know what if anything you find

    HGD
  8. 25-05-2005  #8
    foucault
    foucault is offline Junior Member
    Hi HGD.
    I ran ewido(updated) on normal mode yesterday, and it found two trojans. I shall run it on safe and let u kno!
    also im unable to intsall/run mwav on my computer, as well as crapcleaner. so i used "windows cleanup!"

    Thanks again I will come back once I've followed these instructions
  9. 25-05-2005  #9
    HJThis
    HJThis is offline Senior Member
    Hi,foucault

    Yes please see if it will clean up more of this stuff
    lit' us know if you run into any problems.

    HGD
  10. 25-05-2005  #10
    foucault
    foucault is offline Junior Member
    Save 20% on AVG Internet Security 2012 Suite!
    Hi,
    sorry to be such a pain but ewido is acting up now
    I'm running AVG (updated) Is that alrite?

    Thanx again!
Closed Thread
Page 1 of 4 1 2 3 4 LastLast
« Suspicious AutoSMTP Activity | hclean32.exe and rdsndin.exe »