TheTechGuide Forum
General Category => Tech Clinic => Topic started by: Ryutheip on July 26, 2006, 05:12:47 PM
-
Working on cleaning this computer. Ran Spybot S&D which made it functional, but it has L2M on it, and probably a lot of other problems.
The bg is giving an error message, and getting lots of pop ups. Probably gonna switch to fire fox soon.
Logfile of HijackThis v1.99.1
Scan saved at 4:10:56 PM, on 7/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pilgkn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\grckk.exe
C:\WINDOWS\System32\grckk.exe
C:\WINDOWS\System32\grckk.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Documents and Settings\Lisa\Desktop\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\dfndref_7.exe
C:\WINDOWS\System32\wfxqhv.exe
C:\kybrdef_7.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\ms048965081088.exe
C:\WINDOWS\System32\zqskw.exe
C:\WINDOWS\ymjropbA.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\System32\4b87947a.exe
C:\WINDOWS\System32\redistributor.exe
C:\Program Files\Common Files\{40E73DFC-03E8-1033-0306-011118030001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Lisa\MYDOCU~1\MANTEC~1\mshta.exe
C:\PROGRA~1\COMMON~1\ukfz\ukfzm.exe
C:\WINDOWS\T?sks\?ttrib.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\aspi264477.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\TGlzYQ\command.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\COMMON~1\ukfz\ukfza.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lisa\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si= (http://\"http://www.mrfindalot.com/search.asp?si=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si= (http://\"http://www.mrfindalot.com/search.asp?si=\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\grckk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qniouta.exe
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 Email Removed
O1 - Hosts: 84.252.148.80 www.Email Removed
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O1 - Hosts: 84.252.148.80 www.3riversfcu.org
O1 - Hosts: 84.252.148.80 3riversfcu.org
O1 - Hosts: 84.252.148.80 www.53.com
O1 - Hosts: 84.252.148.80 53.com
O1 - Hosts: 84.252.148.80 www.amazon.com
O1 - Hosts: 84.252.148.80 amazon.com
O1 - Hosts: 84.252.148.80 www.bbt.com
O1 - Hosts: 84.252.148.80 bbt.com
O1 - Hosts: 84.252.148.80 www.boh.com
O1 - Hosts: 84.252.148.80 boh.com
O1 - Hosts: 84.252.148.80 www.capitalone.com
O1 - Hosts: 84.252.148.80 capitalone.com
O1 - Hosts: 84.252.148.80 www.cnbwax.com
O1 - Hosts: 84.252.148.80 cnbwax.com
O1 - Hosts: 84.252.148.80 www.cwbk.com
O1 - Hosts: 84.252.148.80 cwbk.com
O1 - Hosts: 84.252.148.80 www.ebay.com
O1 - Hosts: 84.252.148.80 ebay.com
O1 - Hosts: 84.252.148.80 www.edsefcu.org
O1 - Hosts: 84.252.148.80 edsefcu.org
O1 - Hosts: 84.252.148.80 egold.com
O1 - Hosts: 84.252.148.80 www.egold.com
O1 - Hosts: 84.252.148.80 www.e-gold.com
O1 - Hosts: 84.252.148.80 e-gold.com
O1 - Hosts: 84.252.148.80 www.firstusa.com
O1 - Hosts: 84.252.148.80 firstusa.com
O1 - Hosts: 84.252.148.80 www.frontierbank.com
O1 - Hosts: 84.252.148.80 frontierbank.com
O1 - Hosts: 84.252.148.80 www.gncu.org
O1 - Hosts: 84.252.148.80 gncu.org
O1 - Hosts: 84.252.148.80 www.householdbank.com
O1 - Hosts: 84.252.148.80 householdbank.com
O1 - Hosts: 84.252.148.80 www.icicibank.com
O1 - Hosts: 84.252.148.80 icicibank.com
O1 - Hosts: 84.252.148.80 www.mbna.com
O1 - Hosts: 84.252.148.80 mbna.com
O1 - Hosts: 84.252.148.80 www.mibank.com
O1 - Hosts: 84.252.148.80 mibank.com
O1 - Hosts: 84.252.148.80 www.midamericabank.com
O1 - Hosts: 84.252.148.80 midamericabank.com
O1 - Hosts: 84.252.148.80 www.myindymacbank.com
O1 - Hosts: 84.252.148.80 myindymacbank.com
O1 - Hosts: 84.252.148.80 www.nafcunet.org
O1 - Hosts: 84.252.148.80 nafcunet.org
O1 - Hosts: 84.252.148.80 www.nationalcity.com
O1 - Hosts: 84.252.148.80 nationalcity.com
O1 - Hosts: 84.252.148.80 www.cnb.com
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Lisa\Desktop\MsgPlus.exe"
O4 - HKLM\..\Run: [BaitDaleFlapBoob] C:\Documents and Settings\All Users\Application Data\PartDebugBaitDale\Funk audio.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\System32\cvn0.exe
O4 - HKLM\..\Run: [defender] C:\\dfndref_7.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrdef_7.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [ms048965081088] C:\WINDOWS\ms048965081088.exe
O4 - HKLM\..\Run: [ymjropbA] C:\WINDOWS\ymjropbA.exe
O4 - HKLM\..\Run: [fsr05e9d] RUNDLL32.EXE w2935e94.dll,n 00205e9b000000032935e94
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [w296cb76.dll] RUNDLL32.EXE w296cb76.dll,I2 00205e9b0296cb76
O4 - HKLM\..\Run: [4b87947a.exe] C:\WINDOWS\System32\4b87947a.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [papxkl] C:\WINDOWS\System32\pilgkn.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitsSafe] C:\DOCUME~1\Lisa\APPLIC~1\MFCDLO~1\bin skip rect.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Lisa\Desktop\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Isce] "C:\DOCUME~1\Lisa\MYDOCU~1\MANTEC~1\mshta.exe" -vt yazr
O4 - HKCU\..\Run: [lwvyl] C:\WINDOWS\System32\pilgkn.exe reg_run
O4 - HKCU\..\Run: [ukfz] C:\PROGRA~1\COMMON~1\ukfz\ukfzm.exe
O4 - HKCU\..\Run: [Qqcdumxf] C:\WINDOWS\T?sks\?ttrib.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [4b87947a.exe] C:\Documents and Settings\Lisa\Local Settings\Application Data\4b87947a.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Lisa\LOCALS~1\Temp\2D.tmp3072.exe
O4 - Global Startup: ipwhq.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab (http://\"http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab (http://\"http://www.mgisoft.com/ActiveX/LPControl.cab\")
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Lisa\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab (http://\"http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\jtjo0713e.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll
O21 - SSODL: fOyyInKddrpw - {40E73DFD-EA4D-9757-836A-D38A6A09A1D0} - C:\WINDOWS\System32\tstw.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi264477.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGlzYQ\command.exe
-
Can you do the following please
Download and unzip to your desktop InstalledPrograms.zip (http://\"http://www.billsway.com/vbspage/vbsfiles/InstalledPrograms.zip\")
Double click on InstalledPrograms.vbs
Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents
-
INSTALLED SOFTWARE (23) - LISACOMPUTER - 7/26/2006 4:18:59 PM
Comcast High-Speed Internet Install Wizard
Forethought
HijackThis 1.99.1 Ver: 1.99.1
Icons
Icons
J2SE Runtime Environment 5.0 Update 3 Ver: 1.5.0.30 Installed: 7/20/2006
LimeWire 4.12.3 Ver: 4.12.3
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software Ver: 8.47.0000
Logitech VideoCall
Logitech® Camera Driver
Macromedia Flash Player 8 Ver: 8
MediaTickets By OIN Ver: 1.0
Messenger Plus! 3 & Sponsor
MSN Messenger 7.5 Ver: 7.5.0324.0 Installed: 5/30/2006
Quicklinks
Spybot - Search & Destroy 1.4 Ver: 1.4
Surf SideKick
ToolBar888
WebFldrs XP Ver: 9.50.5318 Installed: 4/9/2006
webHancer Survey Companion
WinRAR Archivierer
-
You are quite infected, nothing we can't fix, but I will also let you know another option
You have no windows updates on this computer, chances are without updates you will get reinfected in no time
I don't want you too install any windows udpates yet, as they may not install correctly
But another option is to format this computer and start fresh with a clean install
Let me know what option you choose, to continue to fix this computer, or format and clean install this computer
-
I'm planning on reformating it as soon as the user returns to Germany (foreign exchange student).
I'm a bit worried though, is there a chance of this infection spreading to other computers on our network? If so, what can I do to prevent it?
-
Since there are no windows updates on this computer
and the possiblility it is hooked to a network, disconnect it immediately
It is not a very good idea keeping a vulnerable computer connected to other computers!!!