Jump to content
Reagan72

cant use task manager

Recommended Posts

I'm gone for 5 days to come back and find the computer is completely different from the way i left it.

1.) the bottom toolbar and, I'm not sure what it's called but the border around every window that pops up (i have windows xp) is usually blue, at least it was until they(mom and husband) changed some things a while back, went to the greyish color like they have in older operating systems. Now is back to the blue.

2.) every program i've used so far since i got back, GOM player, Windows media, Microsoft works all started up like they do the very first time you use them asking for my preferences and what not.(BTW, windows media player is now at version 9, when I left it was at version 11)

3.) the red-flag didnt go up until I tried to use my task managaer, which I now can't. (its not black like everything else, it's grey and not clickable)

But now I'm thinking there might be some malware on here. Please help, here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:57:18 PM, on 8/20/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\NMBgMonitor.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

C:\Program Files\Adobe Media Player\Adobe Media Player.exe

C:\WINDOWS\REGEDIT.EXE

c:\w3l8t1y1y8g8.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\NMBgMonitor.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [bCNT] C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [NMBgMonitor.exe] C:\WINDOWS\system32\NMBgMonitor.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

also, now i keep getting this greyish-brown screen that comes up when i turn on the machine that says the computer is going to shut down and restart in blah blah seconds and gives me a little count down. Says something like there was a ncts error I think.(it hasnt heppened in my last couple of power-ups)

any help will be much appreciated, thank you

Share this post


Link to post
Share on other sites

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Share this post


Link to post
Share on other sites

thanks,

Malwarebytes' Anti-Malware 1.25

Database version: 1078

Windows 5.1.2600 Service Pack 1

7:55:33 PM 8/22/2008

mbam-log-08-22-2008 (19-55-33).txt

Scan type: Quick Scan

Objects scanned: 49614

Time elapsed: 13 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

(I deleted the one thing that they found and restarted the machine but the task manager still doesn't work)

Share this post


Link to post
Share on other sites

I apalogize if posting the same problem elsewhere was wasting your time. I was simply trying to get help as quick as possible, I had no idea I was getting help from the same person/people. Truth is i was planning on saying "thanks but i got help elsewhere" to whoever helped me second so as not to be wasting their time.

My windows operating system was aquired legitamitely for your information. Why it is giving off signs of not being that way, I'm sure it had to do with my mom or her husband, not me. When I left it here the machine was equipped with sp2. Maybe you can also help me out with why its back to 1 and is not validated.

I am being honest and would really appreciate it if you help me fix this problem.

After making numerous trips to the microsoft website and trying to get things updated(it is now validated, at least thats what they said), I have not been having any luck in that department. I will continue to try to get things updated, and hope that afterwards you will continue to help me with getting the system clean.

If updating and everything over at microsoft doesnt work, I will leave you alone as I'm sure you probably already think I'm full of it.

Thanks

Share this post


Link to post
Share on other sites

I know you meant no harm by posting elsewhere, and want the fastest help you can get, but it wastes the helpers time when you post at multiple places.

If Microsoft says it is validated, then you're version of Windows should be legit, it likely was just not validated.

Please go here and upload this file:

c:\w3l8t1y1y8g8.exe

Let me know when you've done this. ;)

Share this post


Link to post
Share on other sites

thanks Tigger, it says there was an error uploading the file. I see it there though, its 57.5kb

Share this post


Link to post
Share on other sites

when I tried it said: Upload failed. You are not permitted to upload this type of file

Share this post


Link to post
Share on other sites

Yes, I changed it from .exe to .zip and saved it to desktop and uploaded it to that site.

Share this post


Link to post
Share on other sites

Thanks. You can delete the file now.

With HijackThis, fix this:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

The update MBAM and scan and post the new log please. ;)

Share this post


Link to post
Share on other sites

Thanks,

Malwarebytes' Anti-Malware 1.25

Database version: 1078

Windows 5.1.2600 Service Pack 1

10:10:29 PM 8/23/2008

mbam-log-08-23-2008 (22-10-17).txt

Scan type: Quick Scan

Objects scanned: 49974

Time elapsed: 24 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 8

Registry Values Infected: 4

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 16

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Trojan.Small) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Trojan.Small) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\explore.exe (Trojan.OnlineGames) -> No action taken.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\sysocmgr.dll (Trojan.Small) -> No action taken.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\hvexalt.dll (Spyware.OnLineGames) -> No action taken.

C:\WINDOWS\system32\biroas.dll (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\system32\cmbdaf.dll (Trojan.OnlineGames) -> No action taken.

C:\WINDOWS\system32\johandy.dll (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> No action taken.

C:\WINDOWS\Temp\QQ_Update.cab (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\650X2RAX\abb[1].gif (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\650X2RAX\update[1].gif (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\Update.dll (Trojan.Agent) -> No action taken.

Do I remove the infected files?

Share this post


Link to post
Share on other sites

Thanks,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:32:40 PM, on 8/23/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\NMBgMonitor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Adobe Media Player\Adobe Media Player.exe

C:\WINDOWS\System32\dllcache\qxchost.exe

C:\WINDOWS\System32\dllcache\wintcps.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\wanmpsvc.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

C:\WINDOWS\REGEDIT.EXE

c:\w3l8t1y1y8g8.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\NMBgMonitor.exe

O1 - Hosts: 127.0.0.3 adlaji.cn

O1 - Hosts: 127.0.0.l www.xxie.net

O1 - Hosts: 127.0.01 www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [NMBgMonitor.exe] C:\WINDOWS\system32\NMBgMonitor.exe

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: mduaey.dll lensch.dll biroas.dll nvipat.dll mcromv.dll eskisl.dll cmbdaf.dll candayl.dll cupops.dll thermaltinc.dll inserse.dll pcibexl.dll ringtte.dll micsus.dll kandaof.dll johandy.dll catower.dll pewire.dll hvexalt.dll wllame.dll comboaus.dll mssetd.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll

O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - C:\WINDOWS\System32\comuidsg.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

O23 - Service: Microsoft Windows TCP Protocol - Unknown owner - C:\WINDOWS\System32\dllcache\wintcps.exe

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 9144 bytes

Share this post


Link to post
Share on other sites

You got even more infected while since a few hours ago. ;)

Fix these with HijackThis:

O1 - Hosts: 127.0.0.3 adlaji.cn

O1 - Hosts: 127.0.0.l www.xxie.net

O1 - Hosts: 127.0.01 www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

Next, delete this file:

c:\w3l8t1y1y8g8.exe

Then update MBAM again and scan and post the log. :)

Share this post


Link to post
Share on other sites

Thanks,

I cant delete c:\w3l8t1y1y8g8.exe. everytime I try, a message pops up that says "Cannot deletew3l8t1y1y8g8: Access is denied. Make sure the disc is not full or write-protectd and that the file is not currently in use."

Share this post


Link to post
Share on other sites

Ok, let's try this then:

Please download OTMoveIt2 by OldTimer.

  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    [kill explorer]
    c:\w3l8t1y1y8g8.exe
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Share this post


Link to post
Share on other sites

Thanks,

Explorer killed successfully

c:\w3l8t1y1y8g8.exe moved successfully.

< EmptyTemp >

Temp folders emptied.

IE temp folders emptied.

Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 08242008_001454

Share this post


Link to post
Share on other sites
Thanks,

I cant delete c:\w3l8t1y1y8g8.exe. everytime I try, a message pops up that says "Cannot deletew3l8t1y1y8g8: Access is denied. Make sure the disc is not full or write-protectd and that the file is not currently in use."

I am checking into seeing what this file does.

Would you mind going http://www.gmer.net/files.php there, downloading gmer.zip, unzipping, running it, and saving/posting a log here please?

I suspect you have something interesting going on.

Share this post


Link to post
Share on other sites

Thanks Raid,

I tried scanning twice already and both times the machine restarted during the first 2 minutes

however, before I scan, just when the program opens up, it comes up with this:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-08-24 01:00:08

Windows 5.1.2600 Service Pack 1

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

Share this post


Link to post
Share on other sites

You should disable protective software like Norton when your doing malware scans, as they can interfere with the process.

I have not been able to determine the files intentions, as it doesn't appear to properly execute.

Share this post


Link to post
Share on other sites

Thanks Raid,

This some wierd stuff. Norton claims it was never installed but shows up in the add/remove programs list. And when i try to remove it/uninstall it, it always gets to about 75% or so(doesn't actually have a number) and says"Unpublishing Product Features" and gets stuck there. Theres no cancel button so a couple of times i just restarted the computer thinkin it was just stuck but now I'm trying to uninstall it again(its been stuck at "Unpublishing Product Features" for about 5 minutes)

Raid when you said i should disable protective programs like Norton antivirus when doing malware scans, I figured I'll get rid of it alltogether because I couldn't care less about Norton antivirus. I actually deleted it months ago. I have no idea what my mom and/or her husband could have possibly did with the machine while I was gone.

Do you know of any other way to disable norton antivirus so I can try the scan again because uninstalling it just aint workin?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.