1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Logs, what do i need to remove?

Discussion in 'Virus & Other Malware Removal' started by red dead, Apr 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. red dead

    red dead Thread Starter

    Joined:
    Apr 11, 2004
    Messages:
    17
    below are my logs from HijackThis, StartupList, and CWShredder. They were all taken in safe mode with networking. i would like to know anything i might should remove, and prefrabely a why, but if you are pressed for time it is not that neccasary, also anything else i should do with this system that you can see from the logs would be appreciated. if you need any other info i will be happy to oblige if i can. thnks for any help.

    HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:40:00 AM, on 4/11/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Documents and Settings\Mark Johnson\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [luhmh] C:\WINNT\luhmh.exe
    O4 - HKLM\..\Run: [BFILO] C:\WINNT\BFILO.exe
    O4 - HKLM\..\Run: [jul] C:\WINNT\jul.exe
    O4 - HKLM\..\Run: [prapim] C:\WINNT\system32\prapim.exe
    O4 - HKLM\..\Run: [5HLKTJ52QWLSSX] C:\WINNT\system32\EnmVw1Vb.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [msnmsgr] "C:\copied\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Appi] C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINNT\system32\winttr.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.6413310185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006_cracks.cab

    StartupList:

    StartupList report, 4/11/2004, 4:38:51 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Mark Johnson\Desktop\StartupList.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Documents and Settings\Mark Johnson\Desktop\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NeroCheck = C:\WINNT\system32\NeroCheck.exe
    InCD = C:\Program Files\ahead\InCD\InCD.exe
    EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    bxxs5 = RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
    luhmh = C:\WINNT\luhmh.exe
    BFILO = C:\WINNT\BFILO.exe
    jul = C:\WINNT\jul.exe
    prapim = C:\WINNT\system32\prapim.exe
    5HLKTJ52QWLSSX = C:\WINNT\system32\EnmVw1Vb.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    SpyBotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    msnmsgr = "C:\copied\MSN Messenger\msnmsgr.exe" /background
    LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    Appi = C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    WCPS = C:\WINNT\system32\winttr.exe
    ClockSync = C:\PROGRA~1\CLOCKS~1\Sync.exe /q

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    Ipswitch.WsftpBrowserHelper - C:\Program Files\WS_FTP Pro\wsbho2K0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Office Update Installation Engine]
    InProcServer32 = C:\WINNT\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.6413310185

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Installer Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ISTactivex.dll
    CODEBASE = http://www.xxxtoolbar.com/ist/softwares/v3.0/0006_cracks.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 5,180 bytes
    Report generated in 0.160 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    CWShredder:

    CWShredder v1.56.1 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip

    Windows 2000 (5.00.2195 SP4)
    Windows dir: C:\WINNT
    Windows system dir: C:\WINNT\system32
    AppData folder: C:\Documents and Settings\Mark Johnson\Application Data
    Username: Mark Johnson

    Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (861 bytes, A)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINNT\win.ini (493 bytes, A)
    Found System.ini file: C:\WINNT\system.ini (263 bytes, A)

    - END OF REPORT -
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi Mark.........Welcome to TSG:)
    You have one or two problems.Can you locate these files and send me zipped copieshere for analysis please.

    C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    C:\WINNT\luhmh.exe
    C:\WINNT\BFILO.exe
    C:\WINNT\jul.exe
    C:\WINNT\system32\prapim.exe
    C:\WINNT\system32\EnmVw1Vb.exe


    Some of the files may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Download AdAware 6 181 from here: http://www.lavasoftusa.com/
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    Then......

    Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    Then.........

    Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" and "Let windows remove files in use at next reboot"

    Then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished mark everything for removal and get rid of it.(Right-click the window and choose"select all" from the drop down menu)


    Now re-boot...


    Run an online antivirus check from at least one and preferably 2 of the following sites....
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/

    re-boot again and post another log.
    ;)
     
  3. red dead

    red dead Thread Starter

    Joined:
    Apr 11, 2004
    Messages:
    17
    thanks for a prompt response.

    here is another set of logs after following the directions you gave, all the files but the tond.exe have disappeared, i had trouble sending it due to outlook's disliking of me.

    HijackThis:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:45:29 AM, on 4/11/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ahead\InCD\InCD.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\copied\MSN Messenger\msnmsgr.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    C:\WINNT\system32\oreank.exe
    C:\WINNT\system32\winttr.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\AdSubtract\adsub.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\WINNT\system32\IpuFm.exe
    C:\WINNT\system32\MtqaY.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Mark Johnson\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [luhmh] C:\WINNT\luhmh.exe
    O4 - HKLM\..\Run: [BFILO] C:\WINNT\BFILO.exe
    O4 - HKLM\..\Run: [jul] C:\WINNT\jul.exe
    O4 - HKLM\..\Run: [5HLKTJ52QWLSSX] C:\WINNT\system32\EnmVw1Vb.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [oreank] C:\WINNT\system32\oreank.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [msnmsgr] "C:\copied\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Appi] C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINNT\system32\winttr.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.6413310185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    StartupList:

    StartupList report, 4/11/2004, 6:46:17 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Mark Johnson\Desktop\StartupList.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ahead\InCD\InCD.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\copied\MSN Messenger\msnmsgr.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    C:\WINNT\system32\oreank.exe
    C:\WINNT\system32\winttr.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\AdSubtract\adsub.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\WINNT\system32\IpuFm.exe
    C:\WINNT\system32\MtqaY.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Mark Johnson\Desktop\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NeroCheck = C:\WINNT\system32\NeroCheck.exe
    InCD = C:\Program Files\ahead\InCD\InCD.exe
    EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    bxxs5 = RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
    luhmh = C:\WINNT\luhmh.exe
    BFILO = C:\WINNT\BFILO.exe
    jul = C:\WINNT\jul.exe
    5HLKTJ52QWLSSX = C:\WINNT\system32\EnmVw1Vb.exe
    Synchronization Manager = mobsync.exe /logon
    oreank = C:\WINNT\system32\oreank.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    msnmsgr = "C:\copied\MSN Messenger\msnmsgr.exe" /background
    LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    Appi = C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    WCPS = C:\WINNT\system32\winttr.exe
    ClockSync = C:\PROGRA~1\CLOCKS~1\Sync.exe /q

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINNT\bxxs5.dll - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9}
    Ipswitch.WsftpBrowserHelper - C:\Program Files\WS_FTP Pro\wsbho2K0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Office Update Installation Engine]
    InProcServer32 = C:\WINNT\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.6413310185

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 5,719 bytes
    Report generated in 0.290 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Run hijackthis again and put a checkmark against what is left of these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [luhmh] C:\WINNT\luhmh.exe
    O4 - HKLM\..\Run: [BFILO] C:\WINNT\BFILO.exe
    O4 - HKLM\..\Run: [jul] C:\WINNT\jul.exe
    O4 - HKLM\..\Run: [5HLKTJ52QWLSSX] C:\WINNT\system32\EnmVw1Vb.exe
    O4 - HKLM\..\Run: [oreank] C:\WINNT\system32\oreank.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Appi] C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINNT\system32\winttr.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q


    Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html

    Locate and delete:
    C:\Documents and Settings\Mark Johnson\Application Data\tond.exe
    C:\WINNT\system32\EnmVw1Vb.exe
    C:\WINNT\system32\oreank.exe
    C:\WINNT\system32\winttr.exe
    C:\WINNT\luhmh.exe
    C:\WINNT\BFILO.exe
    C:\PROGRAM FILES\CLOCKSINK [FOLDER]


    Some of those will already be gone so dont worry if you dont find them all.
    Post another log after.
    ;)
     
  6. red dead

    red dead Thread Starter

    Joined:
    Apr 11, 2004
    Messages:
    17
    i did all that you said, i've got another prob now, my symantec realtime virus protection doesn't start up now.

    and i was curious about NuNIst.exe and Q330994.exe?

    thnks again
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
  8. red dead

    red dead Thread Starter

    Joined:
    Apr 11, 2004
    Messages:
    17
    it is the correct spelling, i found them in the C:\winnt\NuNInst.exe.

    and i found another one with a simular icon (red arrow rainbowing in from the backgrond onto a gold disc), UNNMP.exe
    any idea as to why my realtime virus protection won't boot up?
    or how i might get it to boot up?

    thnks again
     
  9. red dead

    red dead Thread Starter

    Joined:
    Apr 11, 2004
    Messages:
    17
    just an update, i got my realtime virus protection back up.

    Anyone have any ideas what the following are?

    hidsev.exe, EM_EXEC.EXE, DefWatch.exe, spoolsv.exe, LSASS.EXE, and CSRSS.EXE.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/219258

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice