TheTechGuide Forum
General Category => Tech Clinic => Topic started by: tiesworth1 on February 28, 2006, 02:33:30 PM
-
Logfile of HijackThis v1.99.1
Scan saved at 12:57:11 PM, on 2/28/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\SSOL\MRXOJO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM218.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Lqafajo] C:\PROGRAM FILES\SSOL\MRXOJO.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [WL32DLL] C:\WINDOWS\SYSTEM\WL32DLL.EXE
O4 - HKCU\..\Run: [ILS] C:\WINDOWS\SYSTEM\ILS.EXE
O4 - HKCU\..\Run: [WIAVUSD] C:\WINDOWS\SYSTEM\WIAVUSD.EXE
O4 - HKCU\..\Run: [MSWMDM] C:\WINDOWS\SYSTEM\MSWMDM.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://education.dellnet.com/ (http://\"http://education.dellnet.com/\") (file missing) (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://education.dellnet.com/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab (http://\"http://support.charter.com/sdccommon/download/tgctlcm.cab\")
O16 - DPF: Yahoo! MLB StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab (http://\"http://aud14.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab\")
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/it1_x.cab\")
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/et1_x.cab\")
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/nt1_x.cab\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab (http://\"http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab\")
-
any idea's?
-
did u run any spyware scanners, such as spybot, spyware doctor, adaware?
this file is suspicious:
C:\WINDOWS\SYSTEM\MPREXE.EXE
read the article:
http://www.auditmypc.com/process/mprexe.asp (http://\"http://www.auditmypc.com/process/mprexe.asp\")
-
If ur running on low RAM maybe adding more will speed things up. Also checked ur HDD space? free space? try cleaning out the temporary files and recycle bin etc and run the disk defragmenter, it will help improve speed esp if you havent in a long time.
-
O4 - HKCU\..\Run: [WL32DLL] C:\WINDOWS\SYSTEM\WL32DLL.EXE
O4 - HKCU\..\Run: [ILS] C:\WINDOWS\SYSTEM\ILS.EXE
Those are the only ones I saw that might be trouble.the one on top i cannot find any info on.the next i know is a bad guy..
-
C:\WINDOWS\SYSTEM\MPREXE.EXE
is safe
Can you do us a favor please, I want to see what one entry is related too
Go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
or
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to this file on your hard disk
C:\PROGRAM FILES\SSOL\MRXOJO.EXE <--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for these ones if found
C:\WINDOWS\SYSTEM\WL32DLL.EXE
C:\WINDOWS\SYSTEM\ILS.EXE
C:\WINDOWS\SYSTEM\WIAVUSD.EXE
C:\WINDOWS\SYSTEM\MSWMDM.EXE
EDIT>>You may have to show hidden files and folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive.
-
hi
i couldn't find c:\programfiles\ssol\mrxojo.exe on my computer, even after i showed hidden files. this is the closest file i could find matching that name:
File: MRXOJO.LGC
Status: OK
MD5 3429c9f3c66499dc284e29233f69b030
Packers detected: -
here are the results of the other files scanned:
File: WL32DLL.DLL
Status: OK
MD5 bb0b9bc2b29a999211bf1b7c7d31ada5
Packers detected: -
File: ILS.DLL
Status: OK
MD5 bc462c856e7b61086a522cb295318f1e
Packers detected: -
File: WIAVUSD.DLL
Status: OK
MD5 d876ad6a135774d69062ae9abefb1d7d
Packers detected
File: MSWMDM.DLL
Status: OK
MD5 5016f19b15f5d4c90b177ecbdaede51e
Packers detected: -
-
You scanned the wrong files
Careful, make sure your looking at the right ones, or they don't exist
You scanned
MRXOJO.LGC
WL32DLL.DLL
ILS.DLL
WIAVUSD.DLL
MSWMDM.DL
I wanted you too scan if found
MRXOJO.EXE
WL32DLL.EXE
ILS.EXE
WIAVUSD.EXE
MSWMDM.EXE
Notice you scanned .dll files
I was after .exe files
Malware try to disguise as legit files
Do the following please
Do a "System scan only" with Hijackthis and put a check next to these entries:
O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM218.DLL (file missing)
O4 - HKLM\..\Run: [Lqafajo] C:\PROGRAM FILES\SSOL\MRXOJO.EXE
O4 - HKCU\..\Run: [WL32DLL] C:\WINDOWS\SYSTEM\WL32DLL.EXE
O4 - HKCU\..\Run: [ILS] C:\WINDOWS\SYSTEM\ILS.EXE
O4 - HKCU\..\Run: [WIAVUSD] C:\WINDOWS\SYSTEM\WIAVUSD.EXE
O4 - HKCU\..\Run: [MSWMDM] C:\WINDOWS\SYSTEM\MSWMDM.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://education.dellnet.com/ (http://\"http://education.dellnet.com/\") (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Rebooot the computer
Back in Windows
Find and delete this file please if found
c:\counter.cab <-this file
Post back a fresh hijackthis log afterwards
Also, did you find this folder
c:\programfiles\ssol
What other files were in that folder?
-
here is the most recent hijackthis log. highjack this made a backup copy of some files after i fixed, do i need to keep them? there is a backup folder on my desktop now.
i could not find any of the files that ended in .exe.
there was nothing in the ssol folder.
ogfile of HijackThis v1.99.1
Scan saved at 10:07:54 PM, on 3/6/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://education.dellnet.com/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab (http://\"http://support.charter.com/sdccommon/download/tgctlcm.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab (http://\"http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab\")
-
Just an orphan entry to cleanup
With all other windows closed have hijackthis fix checked this entry
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
How's everything on your end?
If you don't have them installed, I suggest you run both Ad-Aware SE Personal and Spybot 1.4 on this machine
You know about them so I shouldn't need to link you
But if you need the links, let me know
If everythings running better
I would clear the System restore points on this machine too
Here's the instructions
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Make sure to reenable System Restore after the reboot
Clean those temp files
If you haven't ran the Disk Defragment utility in awhile on this machine
Now would be a good time, best probably done in safe mode
I linked you too SpywareBlaster 3.5.1 in your other post
I would use it on this computer too
Also, use the Immunization feature in Spybot
I don't see Firewall protection
If you need a free firewall, check out This Link (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
ONLY install one, more than one can and will cause conflicts
but you should make sure to have one installed
Also, your behind on Windows Updates
Use Internet Explorer, click on TOOLS.>Window Updates
Scan for Updates
Install all Critical Updates and Service packs
Reboot when prompted, you will not be able to install them all at once
Revisit after reboot until you have them all>>>Criticals
Let me know how things are running please
-
things seem to be running smooth. thanks for everything. any others ways to get more speed?