1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

coreflood and ircflood help

Discussion in 'Virus & Other Malware Removal' started by carmelross, Oct 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. carmelross

    carmelross Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    15
    i seem to have coreflood andircflood all over the place and cant get Logfile of HijackThis v1.95.1
    Scan saved at 1:01:45 PM, on 10/15/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\program files\support.com\bin\tgcmd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\TVMD.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\System32\LNLPVPIRUE.EXE
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\Yahoo!\browser\YBrowser.exe
    C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
    C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
    C:\Documents and Settings\carmel\Local Settings\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
    O4 - HKLM\..\Run: [SysExplore] C:\WINDOWS\System32\explorer32.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [MSConfig] LNLPVPIRUE.EXE
    O4 - HKLM\..\Run: [btqdpni] rundll32 C:\WINDOWS\System32\btqdpni.dll,Init 1
    O4 - HKLM\..\Run: [mnzrpam] rundll32 C:\WINDOWS\System32\mnzrpam.dll,Init 1
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: webdav.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Chat 1.3 - http://cs5.chat.sc5.yahoo.com/c174/chat.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.7381944444
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
    O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D5796A32-F030-4100-9EBB-26F1A2A72695}: NameServer = 206.141.193.55 66.73.20.40

    rid of them help.ty
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hello Carmel.....1st you need to un-install Kazaa,its the main source of your problems.

    Then...Have "Show hidden files" enabled in Folder Options/View.

    Then reboot into Safe Mode[By tapping the F8 key as windows boots up].

    1 -- Run Explorer and navigate to:
    c:\windows\system32 and delete this file:
    explorer32.exe

    While still in safe mode.... Run HijackThis again and check and fix these entries:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
    O4 - HKLM\..\Run: [SysExplore] C:\WINDOWS\System32\explorer32.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [MSConfig] LNLPVPIRUE.EXE
    O4 - HKLM\..\Run: [btqdpni] rundll32 C:\WINDOWS\System32\btqdpni.dll,Init 1
    O4 - HKLM\..\Run: [mnzrpam] rundll32 C:\WINDOWS\System32\mnzrpam.dll,Init 1

    O4 - Global Startup: webdav.exe

    NOTE:BEFORE YOU FIX THE THREE IN RED CAN YOU
    SEND ME COPIES OF THEM HERE

    Lastly..Hit the start button choose "run" and type "regedit"(without the quotes) and navigate to:

    HKey_Current_User
    Software
    Microsoft
    Windows
    CurrentVersion
    RunOnce

    Look in the Right Hand pane.....If there is anything there but the "default" value, Right click on it and delete it.

    Post another log after downloaded from here: http://www.tomcoyote.org/hjt/ That will give us the latest logfile.

    ;)
     
  3. carmelross

    carmelross Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    15
    you r going to think i am dumb but i cant find explorer32.exe
     
  4. carmelross

    carmelross Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    15
    and ty for your help
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    No problem..............And dont kick yourself....you got this far so your not dumb;)
    I just hope you can find the 3 in red to send me for analysis.

    Now,go to the above site,it will give you the latest version of HijackThis,then post another log.
    ;)
     
  6. carmelross

    carmelross Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    15
    lol i cant find the 3 in red is it ok to just delete them?
     
  7. carmelross

    carmelross Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    15
    sorry i take so long in between posts i got a hundred things going on at once
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Its ok..........there is usually a security tech on-line 24/7.
    If you have enabled windows to show hidden files and folders and still cant locate the three,then i wouldnt worry.

    But i would still like to see another log to check.

    ;)
     
  9. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
    You may want to update your HJT to version 1.97.x

    Alsao Kazaa may ahve also placed Bullguard A/V and P2Pnetworking on your machine.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172276

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice