hijackthis log

**dwfriedrich** · 16-09-2005

Please help with the following logfile.

Logfile of HijackThis v1.99.1
Scan saved at 8:03:51 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\qrjzfny.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\ooyisxjfsv.exe
C:\WINDOWS\ooyisxjfsv.exe
C:\WINDOWS\ooyisxjfsv.exe
C:\WINDOWS\ooyisxjfsv.exe
C:\WINDOWS\ooyisxjfsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshlspc.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [orfhrdv] C:\WINDOWS\system32\qrjzfny.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Shortcut to spywareblaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120906565296
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

**Neal** · 16-09-2005

Hi and welcome, you got trouble alright but be patient with us and we will kill this scum that has your computer by the throat.

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

**dwfriedrich** · 17-09-2005

Here's the new hijack and ewido logfiles. Found alot of junk on there.

**Neal** · 17-09-2005

Beautiful job you done there.

Nail/Epolvy trojan are now dead among other things.

Do you know what this is below:
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"

Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshlspc.dll (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Again make sure all browser windows are closed and click FIX

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start

Post a new HJT log for further review

**dwfriedrich** · 18-09-2005

ok, i'm back with the latest logfile. looks like things are clean now. at least there's been no popups anymore that i've seen.

thanx so much for your help. invaluable!!!!!!!!!!!

**Neal** · 18-09-2005

That's great news,

Your log is clean.

Let's do one more scan just to be sure you are all clean.

Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm

Post the log it makes if anything was found please and hopefully I can send you off with some free preventative programs to help keep you safe on the net.

**dwfriedrich** · 24-09-2005

here's the latest. took awhile to get back to this - it's my daughter's computer and she's been doing homework all week.

Thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!

**Neal** · 24-09-2005

Hi,

Your good to go. Here is some free programs to help keep you safe and surfing.

If you are no longer having any more trouble here is some preventative measures for you.

Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.

http://forums.thatcomputerguy.us/ind...showtopic=1190

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained here:
Windows XP: service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1

Avast: http://www.avast.com/eng/avast_4_home.html

3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
MS Antispyware beta: http://www.microsoft.com/athome/secu...e/default.mspx

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Sygate: http://smb.sygate.com/products/spf_standard.htm

Kerio Personal Firewall: http://www.kerio.com/kpf_download.html

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking hundreds of known malware sites by adding them to IE's restricted sites zone. Download it here:

http://www.javacoolsoftware.com/spywareblaster.html

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free

hijackthis log

hijackthis log

Similar Threads

HiJackThis Log

hijackthis log!

Hijackthis log

Hijackthis log

My Hijackthis log