[Solved] Got a mess here-HJT log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

thymekiller

Thread Starter
Joined
Jan 29, 2004
Messages
283
I'm working on a machine running Win ME, and so far, I have found over 1000 infected files, some of which could not be removed. I also ran Spy-bot, and Ad-aware, and removed an additional 600+ spyware. I am waiting for him to give me the password, so I can go online and run the online virus scans, but in the meantime, I ran HJT, and saw alot that needs to go, and wanted to know if I picked all the right ones. (Also ran CWS, and removed all instances of that!!!!) I have run Stinger, and installed and ran AVG, but it was unable to remove some files in the c:/restore folder. I have disabled System Restore. Here is the HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 6:39:03 PM, on 4/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\UJKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WMCONNECT\WMTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by: USAWide.Net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\SYSTEM\N3TPA1.DLL (file missing)
O2 - BHO: MSM32 Helper - {1E1B2879-88FF-11D2-8D96-000000000004} - C:\WINDOWS\SYSTEM\SSOCKS32.DLL (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\SYSTEM32\QABAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [ujkeybd] C:\WINDOWS\SYSTEM\ujkeybd.exe
O4 - HKLM\..\Run: [ServicePack1] C:\WINDOWS\SP1UPDATE.EXE
O4 - HKLM\..\Run: [sjkrb14ml1] C:\WINDOWS\EDITPAD.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [loader.dll] C:\WINDOWS\loader.dll
O4 - HKCU\..\Run: [updater.dll] C:\WINDOWS\updater500.exe
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\America Online 5.0\aoltray.exe
O4 - Startup: Wal-Mart Connect Tray Icon.lnk = C:\wmconnect\wmtray.exe
O9 - Extra button: Enjoy It (HKLM)
O9 - Extra 'Tools' menuitem: Enjoy It (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://diablo.ud-dial.biz/1/dexGB512.exe


I think this guy was into some weird stuff...anyway, if anyone has any info, I appreciate it!!!!!
thyme
 
Joined
Jul 26, 2002
Messages
46,353
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD}_ - (no file)

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\SYSTEM\N3TPA1.DLL (file missing)

O2 - BHO: MSM32 Helper - {1E1B2879-88FF-11D2-8D96-000000000004} - C:\WINDOWS\SYSTEM\SSOCKS32.DLL (file missing)

O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\SYSTEM32\QABAR.DLL

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE

O4 - HKLM\..\Run: [ujkeybd] C:\WINDOWS\SYSTEM\ujkeybd.exe

O4 - HKLM\..\Run: [ServicePack1] C:\WINDOWS\SP1UPDATE.EXE

O4 - HKLM\..\Run: [sjkrb14ml1] C:\WINDOWS\EDITPAD.EXE

O4 - HKCU\..\Run: [loader.dll] C:\WINDOWS\loader.dll

O4 - HKCU\..\Run: [updater.dll] C:\WINDOWS\updater500.exe

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

O16 - DPF: {11111111-1111-1111-1111-111111111123} - http://diablo.ud-dial.biz/1/dexGB512.exe


Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply then OK. Click Yes to confirm.

Now find and delete:

The C:\WINDOWS\SYSTEM\\MSREXE.EXE file
The C:\WINDOWS\SYSTEM\\ujkeybd.exe file
The C:\WINDOWS\\SP1UPDATE.EXE file
The C:\WINDOWS\\EDITPAD.EXE file
The C:\WINDOWS\\loader.dll file
The C:\WINDOWS\updater500.exe file
 
Joined
Jul 26, 2002
Messages
46,353
You're Welcome! (y)

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top