1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

This is bad HJT log inside

Discussion in 'Virus & Other Malware Removal' started by mshadow, Jul 19, 2006.

Thread Status:
Not open for further replies.
  1. mshadow

    mshadow Thread Starter

    Jun 21, 2006
    Logfile of HijackThis v1.99.1
    Scan saved at 10:31:52 AM, on 7/19/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINNT\system\ctldlg32.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [NTsystem Load] mxlfix.exe
    O4 - HKLM\..\Run: [SDKz0r] SDKc55rezzz2.exe
    O4 - HKLM\..\Run: [drvrmanager] c:\winnt\system32\drvrquery32.exe /S
    O4 - HKLM\..\Run: [HideRun.exe] c:\winnt\system32\HideRun.exe c:\winnt\system32\svhost.exe c:\winnt\system32\pro.gif
    O4 - HKLM\..\Run: [Fenio Startups] fnesvc32.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Magnum Condoms] magnum.exe
    O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe
    O4 - HKLM\..\Run: [google toolbar] ggtb32.exe
    O4 - HKLM\..\Run: [Win H0st Manager xp] H0stMngr32.exe
    O4 - HKLM\..\Run: [REGRUN] C:\Documents and Settings\KM\topish.exe
    O4 - HKLM\..\Run: [Services] C:\WINNT\system32\23.tmp
    O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140700904\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [System] C:\WINNT\system32\testtestt.exe
    O4 - HKLM\..\Run: [cbed499d.exe] C:\WINNT\system32\cbed499d.exe
    O4 - HKLM\..\Run: [ÿ_zskVLZ] C:\WINNT\system32\_zskwrkni05`Z`NFGH[\RFZ\ZLV.exe
    O4 - HKLM\..\Run: [Explorer 2238] C:\DOCUME~1\KM\LOCALS~1\Temp\12461\explorer.exe
    O4 - HKLM\..\RunServices: [NTsystem Load] mxlfix.exe
    O4 - HKLM\..\RunServices: [SDKz0r] SDKc55rezzz2.exe
    O4 - HKLM\..\RunServices: [Fenio Startups] fnesvc32.exe
    O4 - HKLM\..\RunServices: [google toolbar] ggtb32.exe
    O4 - HKLM\..\RunServices: [Win H0st Manager xp] H0stMngr32.exe
    O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe
    O4 - HKLM\..\RunServices: [ÿ_zskVLZ] C:\WINNT\system32\_zskwrkni05`Z`NFGH[\RFZ\ZLV.exe
    O4 - HKCU\..\Run: [Magnum Condoms] magnum.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Steu] "C:\DOCUME~1\KM\APPLIC~1\STEM32~1\ati2evxx.exe" -vt yazr
    O4 - HKCU\..\Run: [Pmvnjgn] C:\Documents and Settings\KM\My Documents\??sks\chkntfs.exe
    O4 - HKCU\..\Run: [cbed499d.exe] C:\Documents and Settings\KM\Local Settings\Application Data\cbed499d.exe
    O4 - HKCU\..\Run: [ÿ_zskVLZ] C:\WINNT\system32\_zskwrkni05`Z`NFGH[\RFZ\ZLV.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe
    O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\KM\LOCALS~1\Temp\26.tmp3072.exe
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk762DJUS
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://ehelp.nelnet.net/netagent/objects/custappx3.CAB
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125694684074
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125694964928
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv3.view22.com/view22/app/view22rte.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
    O20 - AppInit_DLLs: javaw.dll C:\WINNT\system32\javaw.dll C:\WINNT\system32\fast.dll
    O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\DOCUME~1\KM\LOCALS~1\Temp\12461\explorer.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
  2. dvk01

    dvk01 Moderator Malware Specialist

    Dec 14, 2002
    First Name:
    I would say taht one is beyond sensible help

    you can try and see what these fix but I'm not hopeful

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
    • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
    • Install it. Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:
      • Sweep Memory
      • Sweep Registry
      • Sweep Cookies
      • Sweep All User Accounts
      • Enable Direct Disk Sweeping
      • Sweep Contents of Compressed Files
      • Sweep for Rootkits
      • Please UNCHECK Do not Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply.

    * Download the Trial/Demo version of Ewido Ani Spyware here


    * Install ewido.
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the top of the main screen click update
    * Click on Start and let it update.
    * now boot to safe mode by following advice here http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam
    * Now run Ewido:
    * Click on scanner then click on settings tab , select all options allowed & set the how to act to recommended actions and set automatically generate reports after every scan & only if threats were found
    * Now press the scan tab. Click the Complete System Scan button to start the scan.
    * When the scan is done you will see a list of infected objects (if any found) At the bottom of the list, Please click on "recommended action"/and choose to Set all Elements to quarantine and check the box "Perform action with all infections".
    If you get a warning about a file being in an archive, please choose *yes* to quarantine the entire archive
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop

    Post back with a fresh HJT log and the ewido scan log
  3. ~Candy~

    ~Candy~ Retired Administrator

    Jan 27, 2001
  4. mshadow

    mshadow Thread Starter

    Jun 21, 2006
    Yea I got it almost 100% clean at this point with hijackthis and a few other tricks.....I do this all the time.

    I figured I would just post because this one is badddddd lol
  5. ~Candy~

    ~Candy~ Retired Administrator

    Jan 27, 2001
    That log was AFTER your 100% clean? OR BEFORE?
  6. mshadow

    mshadow Thread Starter

    Jun 21, 2006
    Before lol
  7. mshadow

    mshadow Thread Starter

    Jun 21, 2006
    Everything seems to be gone....I can't get into Task Manager or change the Desktop Background....
  8. bizzt


    Jul 15, 2004
    :eek: :eek:
    Can you post another Hijackthis Log?
  9. dvk01

    dvk01 Moderator Malware Specialist

    Dec 14, 2002
    First Name:
    • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

    Reboot into Safe Mode
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Doubleclick WinPFind.exe
    • Click " Configure Scan Options"
    • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
    • Now Click "Start Scan"
    • It will scan the entire System, so please be patient!
    • Once the Scan is Complete
      • Reboot back to Normal Mode!
      • Go to the WinPFind folder
      • Locate WinPFind.txt
      • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply
  10. ~Candy~

    ~Candy~ Retired Administrator

    Jan 27, 2001

    Well, I can't speak for dvk01, but I'd be pretty pissed if I wasted my time assembling instructions for an old log :rolleyes:
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/484491

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice