1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help with Hijackthis log please!!!

Discussion in 'Virus & Other Malware Removal' started by Scrolly21, Sep 21, 2004.

Thread Status:
Not open for further replies.
  1. Scrolly21

    Scrolly21 Thread Starter

    Joined:
    Jun 22, 2004
    Messages:
    24
    I received a file from a friend over MSN Messenger and since then every other account on my computer has lost all programs and can't be used but my account still works. I downloaded Ad Aware and removed 266 infected files. I then also downloaded Spy Search & Destroy but when I run it an error pops op saying "Error during check 2020 search (Ungultiger Datentyp fur ")".

    Here is the Hijackthis log...can anyone help?

    Logfile of HijackThis v1.97.7
    Scan saved at 3:58:16 PM, on 9/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\WINDOWS\services.exe
    C:\WINDOWS\services.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\DllHost.exe
    C:\Documents and Settings\Gary\My Documents\HijackThis.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deluxe-sc.com/YOUhaveARRIVED.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 1
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
    O2 - BHO: (no name) - {5340DAC9-10B9-4FB3-80C3-A196133AE8B9} - C:\WINDOWS\e3Cm.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: GuardWall - {D2F719F3-106A-402B-9996-3A5B12ACA564} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [BargainBuddy] C:\Program Files\BullEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 (HKLM)
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30bc1d2e1b099adbd515/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095791244906
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9B448AAC-3E69-4A5D-A304-14095E0792A4}: NameServer = 198.164.30.2 198.164.4.2
     
  2. mimo2005

    mimo2005

    Joined:
    Aug 14, 2004
    Messages:
    454
    remove these
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing
    Troj/Prorat-D is a backdoor Trojan which may allow unauthorised access and control of the computer from a remote network location.
    Upon execution, Troj/Prorat-D drops copies of itself into the Windows System or System32 folder using one or more of the filenames FSERVICE.EXE, FFSERVICE.EXE, DSERVICE.EXE, LSERVICE.EXE, SSERVICE.EXE and WSERVICE.EXE.
    Troj/Prorat-D adds the following registry entries so that it is run on startup:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    Windows Reg Services = C:\<Windows System>\<filename>
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
    Windows Reg Services = C:\<Windows System>\<filename>
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
    Shell = Explorer.exe C:\<Windows System>\<filename>
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
    Windows Reg Services = C:\<Windows System>\<filename>
    DirectX for Microsoft Windows = C:\<Windows System>\<filename>
    HKLM\Software\Microsoft\Active Setup\Installed Components\
    [A75aed00-d7bf-11d1-9947-00c0Cf98bbc9]\
    StubPath = C:\<Windows System>\<filename>
    HKLM\Software\Microsoft\Active Setup\Installed Components\
    [5Y99AE78-58TT-11dW-BE53-Y67078979Y]\
    StubPath = C:\<Windows System>\<filename>
    This Trojan may also attempt to download and install the file http://members.lycos.co.uk/kabloboy/XP_Update v1.5.3.exe.
    This will be copied into the Windows folder under WINLOGON.EXE.
    This program will drop the file WINKEY.DLL into the Windows System folder and create the following registry entry:
    HKCU\Software\Microsoft DirectX\WinSettings\
    Troj/Prorat-C is embedded within WINKEY.DLL.
    The downloaded file will also change the value in the [boot] and [windows] sections of the files SYSTEM.INI and WIN.INI (respectively), in the Windows folder by including the path to a copy of the original file, e.g.
    File : SYSTEM.INI
    Section : boot
    Parameter : shell
    (New) Value : EXPLORER.EXE C:\<Windows System>\<filename>
    File : WIN.INI
    Section : windows
    Parameter : run
    (New) Value : C:\<Windows System>\<filename>
    Troj/Prorat-D may also employ counter-removal tricks so that it becomes difficult to terminate the Trojan process.
    Furthermore the Trojan may monitor the registry entries above such that the entries are restored immediately if changed.
    REMOVE ALSO
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [BargainBuddy] C:\Program Files\BullEye Network\bin\bargains.exe
    Stop Running Processes:

    Kill these running processes with Task Manager
    arupdate.exe
    c:\temp\webrebates_cdt_installsilent.exe
    cashback.exe
    cb.exe
    djtopr1150.exe
    flash.exe
    nls.exe<<<<<YOU HAVE THIS ONE,KILL IT WITHCTRL+ALT+DEL
    programfilesdir+\web_rebates\disp1150.exe
    programfilesdir+\web_rebates\webrebates0.exe
    programfilesdir+\web_rebates\webrebates1.exe
    programfilesdir+\webrebates\webrebates1.exe
    systemroot+\2805e.exe
    unregister.exe
    unstsa3.exe

    Remove AutoRun Reference:

    Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\webrebates, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\webrebates0, delete it and reboot the machine immediately.
    Clean Registry:

    Remove these registry items (if present) with RegEdit:
    HKEY_LOCAL_MACHINE\software\classes\appid\hungryhands.dll\appid
    HKEY_LOCAL_MACHINE\software\classes\clsid\{0a8ce102-fa03-4612-9bee-7fe5452f4cb1}
    HKEY_LOCAL_MACHINE\software\classes\clsid\{bcf96fb4-5f1b-497b-aecc-910304a55011}\appid
    HKEY_LOCAL_MACHINE\software\classes\interface\{f8fb4ea2-6c05-4de5-8cd0-625b03f48e22}
    HKEY_LOCAL_MACHINE\software\classes\typelib\{03f8822f-8877-4002-8bcd-b532d53d8471}
    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{26398112-f068-4273-964b-a1d8bcf3e576}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\bho_path
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\bhonew
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\bhonew_url
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\bhonew_version
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\bhoversion
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\keynew
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\keynew_url
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\keynew_version
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5941ee5-6dfa-11d8-86b0-0002441a9695}\keyversion
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\dcr2
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/conflict.1/installer.dll\.owner
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/conflict.1/installer.dll\{7eb15626-cb8e-4174-8a72-c055b12b4310}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/wuinst.dll\.owner
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/wuinst.dll\{e2f2b9d0-96b9-4b25-b90c-636ecb207d18}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\webrebates
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\webrebates0
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{26398112-f068-4273-964b-a1d8bcf3e576}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\untopr1150\displayname
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\untopr1150\uninstallstring
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windows sr 3.0\-\-
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windows sr 3.0\displayname
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windows sr 3.0\uninstallstring

    Remove Files:

    Remove these files (if present) with Windows Explorer
    10689.gbd2
    1150_0.dat
    1150_1.dat
    1150_2.dat
    1150sh.dat
    40d3649e11d4.dat
    40d364a11d51.dat
    40d364a94b0d.dat
    40d364aa1c1d.dat
    arupdate.exe
    b3_t_%22web+rebates%22763.xml
    belt.ini
    c:\temp\webrebates_cdt_installsilent.exe
    cashback.exe
    cb.exe
    djtopr1150.exe
    flash.exe
    fwntoolbar.dll.manifest
    install.log
    jau5055.dat
    jsy5055.dat
    key3.txt
    log.txt
    merc1158.dat
    nls.exe
    programfilesdir+\web_rebates\disp1150.exe
    programfilesdir+\web_rebates\sy1150\html\popo1150a_r.htm
    programfilesdir+\web_rebates\sy1150\html\popo1150a_rb.htm
    programfilesdir+\web_rebates\sy1150\html\popo1150a_rbh.htm
    programfilesdir+\web_rebates\sy1150\html\popo1150a_u.htm
    programfilesdir+\web_rebates\sy1150\html\popo1150a_ub.htm
    programfilesdir+\web_rebates\sy1150\html\popo1150a_ubh.htm
    programfilesdir+\web_rebates\sy1150\html\pref1150a.htm
    programfilesdir+\web_rebates\sy1150\html\scri1150a.htm
    programfilesdir+\web_rebates\sy1150\html\spec1150a_r.htm
    programfilesdir+\web_rebates\sy1150\html\spec1150a_rb.htm
    programfilesdir+\web_rebates\sy1150\html\spec1150a_rbh.htm
    programfilesdir+\web_rebates\sy1150\html\spec1150a_u.htm
    programfilesdir+\web_rebates\sy1150\html\spec1150a_ub.htm
    programfilesdir+\web_rebates\sy1150\html\spec1150a_ubh.htm
    programfilesdir+\web_rebates\sy1150\tp1150\popo1150a_r.htm
    programfilesdir+\web_rebates\sy1150\tp1150\popo1150a_rb.htm
    programfilesdir+\web_rebates\sy1150\tp1150\popo1150a_rbh.htm
    programfilesdir+\web_rebates\sy1150\tp1150\popo1150a_u.htm
    programfilesdir+\web_rebates\sy1150\tp1150\popo1150a_ub.htm
    programfilesdir+\web_rebates\sy1150\tp1150\popo1150a_ubh.htm
    programfilesdir+\web_rebates\sy1150\tp1150\pref1150a.htm
    programfilesdir+\web_rebates\sy1150\tp1150\scri1150a.htm
    programfilesdir+\web_rebates\sy1150\tp1150\spec1150a_r.htm
    programfilesdir+\web_rebates\sy1150\tp1150\spec1150a_rb.htm
    programfilesdir+\web_rebates\sy1150\tp1150\spec1150a_rbh.htm
    programfilesdir+\web_rebates\sy1150\tp1150\spec1150a_u.htm
    programfilesdir+\web_rebates\sy1150\tp1150\spec1150a_ub.htm
    programfilesdir+\web_rebates\sy1150\tp1150\spec1150a_ubh.htm
    programfilesdir+\web_rebates\webrebates0.exe
    programfilesdir+\web_rebates\webrebates1.exe
    programfilesdir+\webrebates\webrebates1.exe
    psid1158.dat
    readme.txt
    rge5055.dat
    sty5055.dat
    systemroot+\2805e.exe
    systemroot+\3_0_1browserhelper3.dll
    systemroot+\artmmp.ini
    systemroot+\cache371\b_371_0_1_501300.htm
    systemroot+\cache371\b_371_0_1_569200.htm
    systemroot+\cache371\b_371_0_1_582200.htm
    systemroot+\neti.dll
    systemroot+\system32\adcache\b_371_0_1_501300.htm
    systemroot+\system32\adcache\b_371_0_1_569200.htm
    systemroot+\system32\adcache\b_371_0_1_582200.htm
    systemroot+\system32\imgconv.dll
    systemroot+\system32\vic32.dll
    topr1150.dat
    toprebates.txt
    unregister.exe
    unstsa3.exe
    web_rebates.txt
    GOOD LUCK
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276527

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice