1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HIJACK THIS! Log

Discussion in 'Virus & Other Malware Removal' started by naamah, Dec 21, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. naamah

    naamah Thread Starter

    Joined:
    Dec 21, 2011
    Messages:
    6
    I was just browsing google, didn't open any weird emails, etc-I only ever use Mozilla even though IE is still installed.
    All of a sudden a bubble pops up in from the taskbar saying "Prvacy Threat!" and a paragraph explaining how some kind of malware could be damaging my computer right now, etc.

    It keeps sending me these "XP antivirus 2012" warnings about:
    Trojan.SMS.SymbOS.Viver.a has attacked port 17535 attacked from 32.211.28.17 port 33727

    (XP antivirus is a program I never saw before and DID NOT download).

    My computer won't open programs from desktop by double-click- only by right-click, and ad-aware won't open at all. It also won't allow use of Google search in the mozilla toolbox and send me to some "this site may be infected" type of fake page, when I use search through Windows (the little dog) as if Im looking for a file and choose "search the internet" is the ONLY way I can get toa browser page that somewhat works in Mozilla.

    Here is my log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:16:11 AM, on 12/21/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\avgagent.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Documents and Settings\pstrand\Local Settings\Application Data\fli.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Documents and Settings\pstrand\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll (file missing)
    O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://www.illinois.ticortitle.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156866565859
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = greenberg.local
    O17 - HKLM\Software\..\Telephony: DomainName = greenberg.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = greenberg.local
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG7 Remote Support Service (AvgAgent) (avgagent) - Unknown owner - avgagent.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    --
    End of file - 6776 bytes
     
  2. naamah

    naamah Thread Starter

    Joined:
    Dec 21, 2011
    Messages:
    6
    ALso I d'led Spybot S&D but when I try to run it, it tells me its infected and asks me to run some program to scan it (which I did not click or follow through)
     
  3. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,956
    First Name:
    Frank
    Start HiJackThis, but don't run a scan.

    Click on the "Open The Misc Tools Section" button.

    Click on the "Open Uninstall Manager" button.

    Click on the "Save List" button.

    Save the "uninstall_list.txt" file somewhere.

    It'll then open in Notepad.

    Return here to your thread, then copy-and-paste the entire file here.

    -----------------------------------------------------------
     
  4. naamah

    naamah Thread Starter

    Joined:
    Dec 21, 2011
    Messages:
    6
    It wont let me access hijack this any longer--it now tells me I dont have permission to access this....
    I thought I had gotten rid of the problem by using the 2nd method on this site: http://deletemalware.blogspot.com/2011/06/remove-xp-antispyware-2012-xp-internet.html
    (But I used Malware-bytes instead of the Stopzilla they recommend because I have no money to buy the product in order to fix the problems)
    I got it to stop bringing up the process in Task Manager which was called fli.exe, and I disconnected from online overnite, but today now in the task manager a new name MDM.exe comes up and the same probs are happening except for the window of the fake XP AntiVirus 2012 program isnt showing up, but I'm having all the same problems accessing things, including websites if I dont go through the searching dog on my windows exlporer.
     
  5. naamah

    naamah Thread Starter

    Joined:
    Dec 21, 2011
    Messages:
    6
    Also I searched for this MDM.exe that keeps appearing in the processes in Task MAnager and it came up twice once as the actual program MDM.exe, but then also a result came up for MDM.exe.config.
    These appear to be both located in C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
    Can I just delete these and it will be done or are they needed files and I will mess my computer up further?
     
  6. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,956
    First Name:
    Frank
    With all the registry editing and other steps that site advises you to do, it's a pretty good bet that you've trashed the operating system.

    Your best viable option is to format the hard drive and do a clean reinstall of Windows XP SP3 and get a fresh start.

    --------------------------------------------------------------
     
  7. naamah

    naamah Thread Starter

    Joined:
    Dec 21, 2011
    Messages:
    6
    Well the problem is that I don't have the Windows disc, as this was a used PC I got from my friend when he got a new one.
    Also all my original music and the programs for creating it (I use the PC primarily to make music and videos for my music and upload it online) are all on here and I only have a small flash disk to backup the stuff I havent released on CD yet. :(
    Is there any other way to help it besides reformating and reinstalling windows?


    I didnt do everything on that site, only the 1st set of "Alternate removal instructions", not the quick removal (the prog. never came up again to enter the debugged serial key as the site suggests).

    I followed this, but ran Malware bytes at the end rather than the program they suggested because I can't afford to pay:


    "Make sure that you can see hidden and operating system protected files in Windows. For more in formation, please read Show Hidden Files and Folders in Windows.

    Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmarks from the checkboxes labeled:

    • Hide extensions for know file types
    • Hide protected operating system files
    Click OK to save the changes.
    [​IMG]

    1. Go into C:\Documents and Settings\[UserName]\Local Settings\Application Data\ folder.

    For example: C:\Documents and Settings\Michael\Local Settings\Application Data\
    [​IMG]

    2. Find hidden executable file in this folder. In our case it was called wmi.exe, but I'm sure that the file name will be different in your case. Rename wmi.exe to virus.exe and click Yes to confirm file rename. Then restart your computer.

    [​IMG]


    3. After a restart, copy all the text in bold below and paste to Notepad.

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\.exe]
    @="exefile"
    "Content Type"="application/x-msdownload"

    4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)
    [​IMG]

    5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.

    6. Open Internet Explorer. Download xp_exe_fix.reg and save it to your Desktop. Double-click on xp_exe_fix.reg to run it. Click "Yes" for Registry Editor prompt window. Click OK.

    [​IMG]

    7. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

    NOTE: With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning."
     
  8. naamah

    naamah Thread Starter

    Joined:
    Dec 21, 2011
    Messages:
    6
    Its causing problems like not saving the sound in videos I try to make in Windows Movie Maker. The videos, even though I put music to them, are all coming out silent. (And yes other sounds suck as mp3s work)
     
  9. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,956
    First Name:
    Frank
    Read here and submit the required logs and information, if you want a trained gold/blue shield member to assist you.

    Your problems are beyond my expertise.

    ------------------------------------------------------------
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1032232

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice