Jump to content

cant use task manager


Recommended Posts

I'm sorry Raid. I need clarification...

"I need a fresh hijackthislog After you ran mbam and reboot." -did you mean "run mbam and reboot" or "ran mbam and rebooted"?

if you want me to run mbam again, let it reboot and then scan with hijackthis and provide the [new hijackthis] log with the log of mbam after i scanned and hit 'show results' but before I rebooted then sure, I will asap.

But did you mean that you wanted the hijackthis log from the scan I did with hijackthis after the last time I ran mbam and let it reboot the computer, just like you told me to do in your second to last post, I thought thats what I showed you. What would make you think differently? please clarify what you want me to do.

Edit: I apologize. I remember after I ran mbam and it told me to delete certain things it needed to restart. I'm pretty sure I told it to do so but i left the room right after that. When I came back I found the screen at the desktop which made me think that it had restarted, though thats the same way it looked when I left it. And I do remember thinking to myself"that was a damn fast restart". Are you saying that it never actually restarted and I just went and did a hijackthis scan without knowing that?

Link to post
Share on other sites

  • Replies 158
  • Created
  • Last Reply

Top Posters In This Topic

I'm sorry Raid. I need clarification...

"I need a fresh hijackthislog After you ran mbam and reboot." -did you mean "run mbam and reboot" or "ran mbam and rebooted"?

if you want me to run mbam again, let it reboot and then scan with hijackthis and provide the [new hijackthis] log with the log of mbam after i scanned and hit 'show results' but before I rebooted then sure, I will asap.

That's what I need for you to do, yes. :angry:

Link to post
Share on other sites

Here they go...

MBAM:

Malwarebytes' Anti-Malware 1.28

Database version: 1185

Windows 5.1.2600 Service Pack 1

9/21/2008 11:21:09 AM

mbam-log-2008-09-21 (11-21-09).txt

Scan type: Quick Scan

Objects scanned: 49960

Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 10

Registry Keys Infected: 15

Registry Values Infected: 18

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 30

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\system32\flutjbcw.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\avicapwm.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\voedogzi.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\mncshawz.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\twnxpxba.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\gpuubunj.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\jkltrxoe.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6b9fead7-4319-4312-ab05-d8c9cd255bfe} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{71a78cd4-e470-4a18-8457-e0e0283dd507} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2cb77746-8ecc-40ca-8217-10ca8be5efc8} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d3112b69-a745-4805-874e-abd480ea1299} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f0930a2f-d971-4828-8209-b7dfd266ed44} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\flutjbcw.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6b9fead7-4319-4312-ab05-d8c9cd255bfe} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\avicapwm.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\voedogzi.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{71a78cd4-e470-4a18-8457-e0e0283dd507} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mncshawz.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2cb77746-8ecc-40ca-8217-10ca8be5efc8} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\twnxpxba.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d3112b69-a745-4805-874e-abd480ea1299} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gpuubunj.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f0930a2f-d971-4828-8209-b7dfd266ed44} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jkltrxoe.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\AppPatch\DesktopWin.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\flutjbcw.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\avicapwm.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\voedogzi.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\mncshawz.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\twnxpxba.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\gpuubunj.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\jkltrxoe.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\wllame.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\24[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\28[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\1b[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\26[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\d[1].gif (Virus.Alman) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\10[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\25[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\29[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\23[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\27[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:24:56 AM, on 9/21/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wrm32.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wrm32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: mduaey.dll eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll,HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBFY.dll,HBCONQUER.dll,HBSOUL.dll,HB

CT.dll,HBQQSG.dll,HBQQFFO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7245 bytes

more files keep poppin up in that "avenger" folder in c:, and wont be deleted. Computer's still running fine though

Link to post
Share on other sites

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O4 - HKLM\..\Run: [HBService32] System.exe

O20 - AppInit_DLLs: mduaey.dll eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll,HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBFY.dll,HBCONQUER.dll,HBSOUL.dll,HB

CT.dll,HBQQSG.dll,HBQQFFO.dll

Select all of that with hijackthis, and be sure all browser windows are closed, and click Fix.

You can go ahead and delete the avenger folder.

Link to post
Share on other sites

I dont think so Raid...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:51:33 PM, on 9/22/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\system32\drivers\regvcs.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\mduaeyk.exe

c:\3j5r5e3j6c2.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main

O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe

O4 - HKLM\..\Run: [WinSysM] C:\WINDOWS\547661M.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: mduaey.dll zosdof.dll micsus.dll stepps.dll lensch.dll comboaus.dll jolndyo.dll aotoppt.dll pewire.dll catower.dll wllame.dll

O21 - SSODL: nauqskuc.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\fdnxdfix.dll

O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll

O21 - SSODL: xvoxwesl.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\xvoxwesl.dll

O21 - SSODL: dsccuodg.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\irapqlzk.dll

O21 - SSODL: gcxpmpwr.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\gcxpmpwr.dll

O21 - SSODL: nptaqjhn.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\fwjraiqh.dll

O21 - SSODL: tcpstksq.dll - {D1CC9DC6-F0BC-40fc-9552-E497B05E05B8} - C:\WINDOWS\System32\sornmfcq.dll

O21 - SSODL: axmdemdl.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\fdnxdfix.dll

O21 - SSODL: dzgqomvw.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\jnpdngai.dll

O21 - SSODL: qhytdhjn.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\cieyfdzc.dll

O21 - SSODL: trbzviby.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\fsyexdrn.dll

O21 - SSODL: uyefqglo.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\zqrnrexc.dll

O21 - SSODL: nttbhksi.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mugdddmy.dll

O21 - SSODL: qdvgadkt.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\qdvgadkt.dll

O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O21 - SSODL: irapqlzk.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\irapqlzk.dll

O21 - SSODL: sornmfcq.dll - {D1CC9DC6-F0BC-40fc-9552-E497B05E05B8} - C:\WINDOWS\System32\sornmfcq.dll

O21 - SSODL: fwjraiqh.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\fwjraiqh.dll

O21 - SSODL: zqrnrexc.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\zqrnrexc.dll

O21 - SSODL: fdnxdfix.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\fdnxdfix.dll

O21 - SSODL: jnpdngai.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\jnpdngai.dll

O21 - SSODL: cieyfdzc.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\cieyfdzc.dll

O21 - SSODL: fsyexdrn.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\fsyexdrn.dll

O21 - SSODL: mugdddmy.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mugdddmy.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 10232 bytes

this is all thanks to "my next charge"! :lol: Someone's been busy while I've been away :angry: 1.)Task manager doesnt work2.)internet/overall performance is slower3.)new app has been created in c:

Thanks for everything Raid, really, but unless this can be fixed tonight, this has all been a waste.

I might get at you when I get out though since the pc still wont be clean.

Pray for me bro

Link to post
Share on other sites

Thanks Raid, my heart goes out to you and your family.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:59:35 PM, on 9/25/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\drivers\regvcs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn

O1 - Hosts: 127.1 61.134.37.12

O1 - Hosts: 127.1 ko.ssa387.cn

O1 - Hosts: 127.1 www.ndxrr.cn

O1 - Hosts: 127.1 12345.ssa387.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 wwwwhf.cn

O1 - Hosts: 127.1 a89369093.sq.u9idc.com

O1 - Hosts: 127.1 www.mmd178.cn

O1 - Hosts: 127.1 www.178mmd.cn

O1 - Hosts: 127.1 www.wenzhuoyyy.cn

O1 - Hosts: 127.1 tw.lovechina.tw.cn

O1 - Hosts: 127.1 222.189.238.151

O1 - Hosts: 127.1 222.179.185.78

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 593ffcey.cn

O1 - Hosts: 127.1 set.yay520.cn

O1 - Hosts: 127.1 tenmoc999.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 121.kcuf-01.com

O1 - Hosts: 127.1 www.ew1q.cn

O1 - Hosts: 127.1 www.b3sk.cn

O1 - Hosts: 127.1 up.bizmd.cn

O1 - Hosts: 127.1 www.ms2a.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 www.fgetchr.cn

O1 - Hosts: 127.1 www.e6zx.cn

O1 - Hosts: 127.1 hai067.com

O1 - Hosts: 127.1 hai088.com

O1 - Hosts: 127.1 778899.jd8j.cn

O1 - Hosts: 127.1 sql.78-11.net

O1 - Hosts: 127.1 www.bbbirdy.com

O1 - Hosts: 127.1 www.s1na1.com.cn

O1 - Hosts: 127.1 www.dianyinjzd.cn

O1 - Hosts: 127.1 www.dj5201314dj.com

O1 - Hosts: 127.1 max-2.cn

O1 - Hosts: 127.1 a.asp-o.cn

O1 - Hosts: 127.1 b.asp-o.cn

O1 - Hosts: 127.1 c.asp-o.cn

O1 - Hosts: 127.1 x.kprobb.cn

O1 - Hosts: 127.1 js.php-k.cn

O1 - Hosts: 127.1 max-1.cn

O1 - Hosts: 127.1 max-3.cn

O1 - Hosts: 127.1 max-4.cn

O1 - Hosts: 127.1 max-5.cn

O1 - Hosts: 127.1 max-6.cn

O1 - Hosts: 127.1 max-7.cn

O1 - Hosts: 127.1 max-8.cn

O1 - Hosts: 127.1 max-9.cn

O1 - Hosts: 127.1 max-10.cn

O1 - Hosts: 127.1 max-11.cn

O1 - Hosts: 127.1 max-12.cn

O1 - Hosts: 127.1 twocannon250.com.cn

O1 - Hosts: 127.1 www.133mm.cn

O1 - Hosts: 127.1 www.51vmm.cn

O1 - Hosts: 127.1 www.7mmoo.cn

O1 - Hosts: 127.1 www.99mmm.org.cn

O1 - Hosts: 127.1 www.hdec.cn

O1 - Hosts: 127.1 www.picc18.com

O1 - Hosts: 127.1 www.kissdh.com

O1 - Hosts: 127.1 www.x7v.cn

O1 - Hosts: 127.1 biqulu.cn

O1 - Hosts: 127.1 2008.qq2006.com.cn

O1 - Hosts: 127.1 giaitrisex.com

O1 - Hosts: 127.1 www.giaitrisex.com

O1 - Hosts: 127.1 www.giaitrituoitre.net

O1 - Hosts: 127.1 mekiep.com

O1 - Hosts: 127.1 www.1sex1day.com

O1 - Hosts: 127.1 a.9ymm.com

O1 - Hosts: 127.1 bobo.7wyt.com

O1 - Hosts: 127.1 www.591caobi.cn

O1 - Hosts: 127.1 www.hrz008.cn

O1 - Hosts: 127.1 asp-15.cn

O1 - Hosts: 127.1 asp-12.cn

O1 - Hosts: 127.1 www.jb88.net

O1 - Hosts: 127.1 6.a88a.com

O1 - Hosts: 127.1 w.b2c3.cn

O1 - Hosts: 127.1 m.c5x8.com

O1 - Hosts: 127.1 www.518sfw.cn

O1 - Hosts: 127.1 www.jjyyzmj.cn

O1 - Hosts: 127.1 u.cnmrx.net

O1 - Hosts: 127.1 duowan.czm.cn

O1 - Hosts: 127.1 xccxcxcxcxcx.cn

O1 - Hosts: 127.1 google-yahoo.org.cn

O1 - Hosts: 127.1 tudou-net.org.cn

O1 - Hosts: 127.1 downloads.zango.com

O1 - Hosts: 127.1 ftp.surfnet.nl

O1 - Hosts: 127.1 bis.180solutions.com

O1 - Hosts: 127.1 installs.hotbar.com

O1 - Hosts: 127.1 www.hbdownloads.com

O1 - Hosts: 127.1 static.zangocash.com

O1 - Hosts: 127.1 www.qq-songli.cn

O1 - Hosts: 127.1 aa.9234.net

O1 - Hosts: 127.1 www.97love.info

O1 - Hosts: 127.1 97love.info

O1 - Hosts: 127.1 www.zyzhuiku.cn

O1 - Hosts: 127.1 zyzhuiku.cn

O1 - Hosts: 127.1 www.lang18.com

O1 - Hosts: 127.1 lang18.com

O1 - Hosts: 127.1 sao6666.com

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe

O4 - HKLM\..\Run: [WinWZSys] C:\WINDOWS\547661CQWZ.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBFY.dll,HBCONQUER.dll,HBSOUL.dll,HBCT.dll,HBQQ

SG.dll,HBQQFFO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7129 bytes

pc is running a little better, task manager is running this time around, there is a new app in c:, I believe I mentioned it in the above post and I already uploaded it to the site

Link to post
Share on other sites

  • Root Admin

Please follow the directions in the exact order posted.

Start Hijackthis and do a Scan Only and place a check mark on the following items

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h$$p://qus7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h$$p://srch-qus7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = h$$p://srch-qus7.hpwis.com/
    F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe
    O4 - HKLM\..\Run: [WinWZSys] C:\WINDOWS\547661CQWZ.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBFY.dll,HBCONQUER.dll,HBSOUL.dll,HBCT.dll,HBQQ
    SG.dll,HBQQFFO.dll
    Then click on Fix selected

You need to unhide your folders and files. Open My Computer, click on Tools, Folder Options, then the View tab, place a check mark in the following items.

Display the contents of the system folders

Show hidden files and folders

Then UNCHECK the following items

Hide extensions for known file types

Hide protected operating system files (Recommended)

Click on Apply, then OK

That should allow you to see all the hidden files and folders on the system.

Then open "My Computer" and open your C: drive and navigate to this location:
C:\WINDOWS\system32\drivers\etc

Once there you should see a file named
hosts
with no extension. Select that file and delete it.

Then start
NOTEPAD
and copy the text from the box below into the new notepd document and save it as:

C:\WINDOWS\system32\drivers\etc\hosts

When saving the file from Notepad on the
Save as type:
drop down make sure you select
All Files
# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host


127.0.0.1 localhost

Then for now right click on the new
hosts
file you just created and select
PROPERTIES
and near the bottom where it says Attributes: put a check mark on
Read-only

Click Apply then OK.

Start Malwarebytes and go to the
UPDATE
tab and update the program again. You should get a database version of at least 1208

Then click on the
SCANNER
tab and choose "
Perform quick scan
" (which is the default anyways). Then click on the
SCAN
button and let it run.

When it's done make sure
all items
are selected and choose to allow Malwarebytes to fix all of them. Then if requested to reboot go ahead and reboot the computer.

Then run Hijackthis again and do a scan only and post back BOTH logs.
Link to post
Share on other sites

Thanks AS,

[problem] In etc, I tried to delete the host file but it didnt look like I was successful. I right-clicked on it and clicked on delete then the message: the file 'hosts' is a system file. If you remove it, your computer, or one of your programs may no longer work correctly. Are you sure you want to move it to the recycling bin?" came up. I said yes and then the message disappeared but the hosts file never left. I did this again and went to the recycling bin to see what was there. Sure enough there were two identical copies of the hosts file so I deleted them from the bin. I clicked back on the etc folder and the hosts file was still there. My new hosts file I created in notepad is there too, with a .txt extension. Read-only in properties too. The newly creatd hosts file's icon is like that of anyother file created in notepad. The old hosts file however has that paper with the fold in the corner and the little window on it icon.

I also didnt reboot right after I hikacked this because you never said to and you were pretty thorough.

MBAM:

alwarebytes' Anti-Malware 1.28

Database version: 1209

Windows 5.1.2600 Service Pack 1

9/26/2008 7:46:14 AM

mbam-log-2008-09-26 (07-46-14).txt

Scan type: Quick Scan

Objects scanned: 53995

Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 5

Registry Keys Infected: 11

Registry Values Infected: 6

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 17

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-293d48b2ae99} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msnmsg (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HBService32 (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsysw (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2HSTGFW7\20[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2VOH61EP\22[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2VOH61EP\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EB4JE9A9\18[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EB4JE9A9\21[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJJXZLRG\05[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJJXZLRG\19[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\HBKernel32.sys (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\547661L.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\E.tmp (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:51:14 AM, on 9/26/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\drivers\regvcs.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\svchost.exe

c:\3j5r5e3j6c2.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn

O1 - Hosts: 127.1 61.134.37.12

O1 - Hosts: 127.1 ko.ssa387.cn

O1 - Hosts: 127.1 www.ndxrr.cn

O1 - Hosts: 127.1 12345.ssa387.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 wwwwhf.cn

O1 - Hosts: 127.1 a89369093.sq.u9idc.com

O1 - Hosts: 127.1 www.mmd178.cn

O1 - Hosts: 127.1 www.178mmd.cn

O1 - Hosts: 127.1 www.wenzhuoyyy.cn

O1 - Hosts: 127.1 tw.lovechina.tw.cn

O1 - Hosts: 127.1 222.189.238.151

O1 - Hosts: 127.1 222.179.185.78

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 593ffcey.cn

O1 - Hosts: 127.1 set.yay520.cn

O1 - Hosts: 127.1 tenmoc999.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 121.kcuf-01.com

O1 - Hosts: 127.1 www.ew1q.cn

O1 - Hosts: 127.1 www.b3sk.cn

O1 - Hosts: 127.1 up.bizmd.cn

O1 - Hosts: 127.1 www.ms2a.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 www.fgetchr.cn

O1 - Hosts: 127.1 www.e6zx.cn

O1 - Hosts: 127.1 hai067.com

O1 - Hosts: 127.1 hai088.com

O1 - Hosts: 127.1 778899.jd8j.cn

O1 - Hosts: 127.1 sql.78-11.net

O1 - Hosts: 127.1 www.bbbirdy.com

O1 - Hosts: 127.1 www.s1na1.com.cn

O1 - Hosts: 127.1 www.dianyinjzd.cn

O1 - Hosts: 127.1 www.dj5201314dj.com

O1 - Hosts: 127.1 max-2.cn

O1 - Hosts: 127.1 a.asp-o.cn

O1 - Hosts: 127.1 b.asp-o.cn

O1 - Hosts: 127.1 c.asp-o.cn

O1 - Hosts: 127.1 x.kprobb.cn

O1 - Hosts: 127.1 js.php-k.cn

O1 - Hosts: 127.1 max-1.cn

O1 - Hosts: 127.1 max-3.cn

O1 - Hosts: 127.1 max-4.cn

O1 - Hosts: 127.1 max-5.cn

O1 - Hosts: 127.1 max-6.cn

O1 - Hosts: 127.1 max-7.cn

O1 - Hosts: 127.1 max-8.cn

O1 - Hosts: 127.1 max-9.cn

O1 - Hosts: 127.1 max-10.cn

O1 - Hosts: 127.1 max-11.cn

O1 - Hosts: 127.1 max-12.cn

O1 - Hosts: 127.1 twocannon250.com.cn

O1 - Hosts: 127.1 www.133mm.cn

O1 - Hosts: 127.1 www.51vmm.cn

O1 - Hosts: 127.1 www.7mmoo.cn

O1 - Hosts: 127.1 www.99mmm.org.cn

O1 - Hosts: 127.1 www.hdec.cn

O1 - Hosts: 127.1 www.picc18.com

O1 - Hosts: 127.1 www.kissdh.com

O1 - Hosts: 127.1 www.x7v.cn

O1 - Hosts: 127.1 biqulu.cn

O1 - Hosts: 127.1 2008.qq2006.com.cn

O1 - Hosts: 127.1 giaitrisex.com

O1 - Hosts: 127.1 www.giaitrisex.com

O1 - Hosts: 127.1 www.giaitrituoitre.net

O1 - Hosts: 127.1 mekiep.com

O1 - Hosts: 127.1 www.1sex1day.com

O1 - Hosts: 127.1 a.9ymm.com

O1 - Hosts: 127.1 bobo.7wyt.com

O1 - Hosts: 127.1 www.591caobi.cn

O1 - Hosts: 127.1 www.hrz008.cn

O1 - Hosts: 127.1 asp-15.cn

O1 - Hosts: 127.1 asp-12.cn

O1 - Hosts: 127.1 www.jb88.net

O1 - Hosts: 127.1 6.a88a.com

O1 - Hosts: 127.1 w.b2c3.cn

O1 - Hosts: 127.1 m.c5x8.com

O1 - Hosts: 127.1 www.518sfw.cn

O1 - Hosts: 127.1 www.jjyyzmj.cn

O1 - Hosts: 127.1 u.cnmrx.net

O1 - Hosts: 127.1 duowan.czm.cn

O1 - Hosts: 127.1 xccxcxcxcxcx.cn

O1 - Hosts: 127.1 google-yahoo.org.cn

O1 - Hosts: 127.1 tudou-net.org.cn

O1 - Hosts: 127.1 downloads.zango.com

O1 - Hosts: 127.1 ftp.surfnet.nl

O1 - Hosts: 127.1 bis.180solutions.com

O1 - Hosts: 127.1 installs.hotbar.com

O1 - Hosts: 127.1 www.hbdownloads.com

O1 - Hosts: 127.1 static.zangocash.com

O1 - Hosts: 127.1 www.qq-songli.cn

O1 - Hosts: 127.1 aa.9234.net

O1 - Hosts: 127.1 www.97love.info

O1 - Hosts: 127.1 97love.info

O1 - Hosts: 127.1 www.zyzhuiku.cn

O1 - Hosts: 127.1 zyzhuiku.cn

O1 - Hosts: 127.1 www.lang18.com

O1 - Hosts: 127.1 lang18.com

O1 - Hosts: 127.1 sao6666.com

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe

O4 - HKLM\..\Run: [WinWZSys] C:\WINDOWS\547661CQWZ.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBSO2.dll,HBFY.dll,HBCONQUER.dll,HBSOUL.dll,HBC

HIBI.dll,HBCT.dll,HBQQSG.dll,HBQQFFO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6797 bytes

task manager still isnt working but pc is running ok, just a little slow getting to this page

Link to post
Share on other sites

  • Root Admin
When it's done make sure all items are selected and choose to allow Malwarebytes to fix all of them. Then if requested to reboot go ahead and reboot the computer.

You MUST REBOOT AFTER telling MB to clean up. THEN do the Hijackthis.

Please run MB again, update it again. Do a Quick Scan again. THEN REBOOT... REBOOT, REBOOT you must REBOOT

Then run another HJT scan AFTER the reboot.

Link to post
Share on other sites

My apologies AS and thank you for your patience.

As you might have read in earlier posts, there was someone who wouldnt cooperate with staying off the machine while I was trying to fix it. Waiting for my probation to end seemed like my best bet-with what me wanting to express how I felt about the situation to that person(and that seeming to be the only solution to get cooperation). Serious consequences would've been handed down to me by the law had I not waited and violated probation. Probation was up Friday, did what I had to do-you can imagine I got into a little trouble. Anyways, sorry for the inconvenience-there shall be no more interuptions.(hopefully)

While I was away, mom was using the computer. 4 new apps appeared in c:\, and task manager doesnt work.

Other than that, everything is fine

Im not quite sure if you understood what I was trying to tell you in my last post so I just went and did MBAM(let it reboot) and ran hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:07:33 PM, on 10/2/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\drivers\PrdMgr.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe

C:\WINDOWS\system32\drivers\FmMgr.exe

c:\8b4l8r9h1v9.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\PrdMgr.exe

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 fffff8888fsgfbghj88.cn

O1 - Hosts: 127.1 61.134.37.12

O1 - Hosts: 127.1 ko.ssa387.cn

O1 - Hosts: 127.1 www.ndxrr.cn

O1 - Hosts: 127.1 12345.ssa387.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 wwwwhf.cn

O1 - Hosts: 127.1 a89369093.sq.u9idc.com

O1 - Hosts: 127.1 www.mmd178.cn

O1 - Hosts: 127.1 www.178mmd.cn

O1 - Hosts: 127.1 www.wenzhuoyyy.cn

O1 - Hosts: 127.1 tw.lovechina.tw.cn

O1 - Hosts: 127.1 222.189.238.151

O1 - Hosts: 127.1 222.179.185.78

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 593ffcey.cn

O1 - Hosts: 127.1 set.yay520.cn

O1 - Hosts: 127.1 tenmoc999.cn

O1 - Hosts: 127.1 lihai88.com

O1 - Hosts: 127.1 121.kcuf-01.com

O1 - Hosts: 127.1 www.ew1q.cn

O1 - Hosts: 127.1 www.b3sk.cn

O1 - Hosts: 127.1 up.bizmd.cn

O1 - Hosts: 127.1 www.ms2a.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 www.fgetchr.cn

O1 - Hosts: 127.1 www.e6zx.cn

O1 - Hosts: 127.1 hai067.com

O1 - Hosts: 127.1 hai088.com

O1 - Hosts: 127.1 778899.jd8j.cn

O1 - Hosts: 127.1 sql.78-11.net

O1 - Hosts: 127.1 www.bbbirdy.com

O1 - Hosts: 127.1 www.s1na1.com.cn

O1 - Hosts: 127.1 www.dianyinjzd.cn

O1 - Hosts: 127.1 www.dj5201314dj.com

O1 - Hosts: 127.1 max-2.cn

O1 - Hosts: 127.1 a.asp-o.cn

O1 - Hosts: 127.1 b.asp-o.cn

O1 - Hosts: 127.1 c.asp-o.cn

O1 - Hosts: 127.1 x.kprobb.cn

O1 - Hosts: 127.1 js.php-k.cn

O1 - Hosts: 127.1 max-1.cn

O1 - Hosts: 127.1 max-3.cn

O1 - Hosts: 127.1 max-4.cn

O1 - Hosts: 127.1 max-5.cn

O1 - Hosts: 127.1 max-6.cn

O1 - Hosts: 127.1 max-7.cn

O1 - Hosts: 127.1 max-8.cn

O1 - Hosts: 127.1 max-9.cn

O1 - Hosts: 127.1 max-10.cn

O1 - Hosts: 127.1 max-11.cn

O1 - Hosts: 127.1 max-12.cn

O1 - Hosts: 127.1 twocannon250.com.cn

O1 - Hosts: 127.1 www.133mm.cn

O1 - Hosts: 127.1 www.51vmm.cn

O1 - Hosts: 127.1 www.7mmoo.cn

O1 - Hosts: 127.1 www.99mmm.org.cn

O1 - Hosts: 127.1 www.hdec.cn

O1 - Hosts: 127.1 www.picc18.com

O1 - Hosts: 127.1 www.kissdh.com

O1 - Hosts: 127.1 www.x7v.cn

O1 - Hosts: 127.1 biqulu.cn

O1 - Hosts: 127.1 2008.qq2006.com.cn

O1 - Hosts: 127.1 giaitrisex.com

O1 - Hosts: 127.1 www.giaitrisex.com

O1 - Hosts: 127.1 www.giaitrituoitre.net

O1 - Hosts: 127.1 mekiep.com

O1 - Hosts: 127.1 www.1sex1day.com

O1 - Hosts: 127.1 a.9ymm.com

O1 - Hosts: 127.1 bobo.7wyt.com

O1 - Hosts: 127.1 www.591caobi.cn

O1 - Hosts: 127.1 www.hrz008.cn

O1 - Hosts: 127.1 asp-15.cn

O1 - Hosts: 127.1 asp-12.cn

O1 - Hosts: 127.1 www.jb88.net

O1 - Hosts: 127.1 6.a88a.com

O1 - Hosts: 127.1 w.b2c3.cn

O1 - Hosts: 127.1 m.c5x8.com

O1 - Hosts: 127.1 www.518sfw.cn

O1 - Hosts: 127.1 www.jjyyzmj.cn

O1 - Hosts: 127.1 u.cnmrx.net

O1 - Hosts: 127.1 duowan.czm.cn

O1 - Hosts: 127.1 xccxcxcxcxcx.cn

O1 - Hosts: 127.1 google-yahoo.org.cn

O1 - Hosts: 127.1 tudou-net.org.cn

O1 - Hosts: 127.1 downloads.zango.com

O1 - Hosts: 127.1 ftp.surfnet.nl

O1 - Hosts: 127.1 bis.180solutions.com

O1 - Hosts: 127.1 installs.hotbar.com

O1 - Hosts: 127.1 www.hbdownloads.com

O1 - Hosts: 127.1 static.zangocash.com

O1 - Hosts: 127.1 www.qq-songli.cn

O1 - Hosts: 127.1 aa.9234.net

O1 - Hosts: 127.1 www.97love.info

O1 - Hosts: 127.1 97love.info

O1 - Hosts: 127.1 www.zyzhuiku.cn

O1 - Hosts: 127.1 zyzhuiku.cn

O1 - Hosts: 127.1 www.lang18.com

O1 - Hosts: 127.1 lang18.com

O1 - Hosts: 127.1 sao6666.com

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe

O4 - HKLM\..\Run: [WinWZSys] C:\WINDOWS\547661CQWZ.exe

O4 - HKLM\..\Run: [lsass.exe] C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe

O4 - HKLM\..\Run: [FmMgr.exe] C:\WINDOWS\system32\drivers\FmMgr.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBB

O.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI.dll,HBCT.dll,HBQQSG.dll,HBQQFFO.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7250 bytes

Link to post
Share on other sites

  • Root Admin

Start HJT and place a checkmark on the following items
  • O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe

  • O4 - HKLM\..\Run: [WinWZSys] C:\WINDOWS\547661CQWZ.exe

  • O4 - HKLM\..\Run: [lsass.exe] C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe

  • O4 - HKLM\..\Run: [FmMgr.exe] C:\WINDOWS\system32\drivers\FmMgr.exe

  • O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

  • O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBXY2.dll,HBSO2.dll,HBFY.dll,HBKDXY.dll,HBZHUXIAN.dll,HBB

    O.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI.dll,HBCT.dll,HBQQSG.dll,HBQQFFO.dll

    Then click on
    Fix selected...

Please download Avenger 2.0 from
here

Open and copy the program file
avenger.exe
to your
Desktop
then double click to start it.

Copy the following text from the code box below into the main window of Avenger.
Files to delete:

c:\8b4l8r9h1v9.exe

C:\WINDOWS\system32\drivers\etc\hosts

c:\windows\system32\drivers\PrdMgr.exe

c:\windows\system32\HBmhly.dll

c:\windows\system32\HB1000Y.dll

c:\windows\system32\HBXY2.dll

c:\windows\system32\HBSO2.dll

c:\windows\system32\HBFY.dll

c:\windows\system32\HBFY.dll

c:\windows\system32\HBKDXY.dll

c:\windows\system32\HBZHUXIAN.dll

c:\windows\system32\HBBO.dll

c:\windows\system32\HBCONQUER.dll

c:\windows\system32\HBSOUL.dll

c:\windows\system32\HBCHIBI.dll

c:\windows\system32\HBCT.dll

c:\windows\system32\HBQQSG.dll

c:\windows\system32\HBQQFFO.dll

C:\WINDOWS\system32\drivers\regvcs.exe

C:\WINDOWS\547661CQWZ.exe

C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe

C:\WINDOWS\system32\drivers\FmMgr.exe
  • Place a check mark on the
    "Scan for rootkits"
    but do not check any other boxes.
  • Close all other running applications

  • After pasting the text into the main window of
    Avenger
    , click on
    Execute

Once Avenger is done start NOTEPAD and copy the following text into the new document

Then do a File Save and save it as
"C:\WINDOWS\system32\drivers\etc\hosts"

Make sure you use the quotes. Not just C:\WINDOWS\system32\drivers\etc\hosts or it will save it with a .TXT extension.

"

C:\WINDOWS\system32\drivers\etc\hosts
"
# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host


127.0.0.1 localhost
  1. Start MB and go to the UDPATE tab and update the program again and do a Quick Scan.
  2. When done scanning, make sure to check and allow it to fix anything found and reboot the computer.

  3. Then run a new Hijackthis scan only.

Post back the following logs.

Avenger

MB

HJT

.

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "nvmini" found!

DisplayName: NVIDIA Compatible Windows Miniport Driver

ImagePath: system32\DRIVERS\nvmini.sys

Start Type: 2 (Automatic)

Rootkit scan completed.

Error: file "c:\8b4l8r9h1v9.exe" not found!

Deletion of file "c:\8b4l8r9h1v9.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

File "C:\WINDOWS\system32\drivers\etc\hosts" deleted successfully.

Error: file "c:\windows\system32\drivers\PrdMgr.exe" not found!

Deletion of file "c:\windows\system32\drivers\PrdMgr.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBmhly.dll" not found!

Deletion of file "c:\windows\system32\HBmhly.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HB1000Y.dll" not found!

Deletion of file "c:\windows\system32\HB1000Y.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBXY2.dll" not found!

Deletion of file "c:\windows\system32\HBXY2.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBSO2.dll" not found!

Deletion of file "c:\windows\system32\HBSO2.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBFY.dll" not found!

Deletion of file "c:\windows\system32\HBFY.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBFY.dll" not found!

Deletion of file "c:\windows\system32\HBFY.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBKDXY.dll" not found!

Deletion of file "c:\windows\system32\HBKDXY.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBZHUXIAN.dll" not found!

Deletion of file "c:\windows\system32\HBZHUXIAN.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBBO.dll" not found!

Deletion of file "c:\windows\system32\HBBO.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBCONQUER.dll" not found!

Deletion of file "c:\windows\system32\HBCONQUER.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBSOUL.dll" not found!

Deletion of file "c:\windows\system32\HBSOUL.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBCHIBI.dll" not found!

Deletion of file "c:\windows\system32\HBCHIBI.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBCT.dll" not found!

Deletion of file "c:\windows\system32\HBCT.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBQQSG.dll" not found!

Deletion of file "c:\windows\system32\HBQQSG.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\HBQQFFO.dll" not found!

Deletion of file "c:\windows\system32\HBQQFFO.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\regvcs.exe" not found!

Deletion of file "C:\WINDOWS\system32\drivers\regvcs.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\547661CQWZ.exe" not found!

Deletion of file "C:\WINDOWS\547661CQWZ.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe" not found!

Deletion of file "C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\FmMgr.exe" not found!

Deletion of file "C:\WINDOWS\system32\drivers\FmMgr.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:03:50 PM, on 10/3/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\drivers\LBTWiz.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\pchealth\helpctr\binaries\VTskMgr.exe

c:\i4p5a1y7a7s7.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\LBTWiz.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [LBTWiz.exe] C:\WINDOWS\system32\drivers\LBTWiz.exe

O4 - HKLM\..\Run: [VTskMgr.exe] C:\WINDOWS\pchealth\helpctr\binaries\VTskMgr.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 3448 bytes

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.28

Database version: 1226

Windows 5.1.2600 Service Pack 1

10/3/2008 5:27:40 PM

mbam-log-2008-10-03 (17-27-40).txt

Scan type: Quick Scan

Objects scanned: 54525

Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 4

Registry Keys Infected: 11

Registry Values Infected: 4

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 19

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\7ADC2AB1.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-293d48b2ae99} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{7adc2ab1-5c6a-4178-82da-94863354af7c} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel32 (Backdoor.Bot) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msnmsg (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7adc2ab1-5c6a-4178-82da-94863354af7c} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HBService32 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\Program Files\Messenger\msgmr.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\7ADC2AB1.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\15.cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DYZW52N\05[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DYZW52N\17[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DYZW52N\19[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DYZW52N\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GD2DESJ8\15[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GD2DESJ8\99[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QNE9INM5\13[2].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QNE9INM5\14[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QNE9INM5\18[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QNE9INM5\20[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VMGX3KOX\16[1].cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\HBKernel32.sys (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\Photo_14301.zip (Backdoor.Bot) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.28

Database version: 1226

Windows 5.1.2600 Service Pack 1

10/3/2008 5:48:32 PM

mbam-log-2008-10-03 (17-48-32).txt

Scan type: Quick Scan

Objects scanned: 54298

Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

dayum computer keeps restarting-wont give me a chance to reply all in one post. It keeps restarting with that NT authority/system message. I took a pic so I now have the message in front of me. It reads:

This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM

Time before shutdown: (i think it starts at 59, when i took the picture I captured it at 15 seconds)

Message

The system process

'C:\WINDOWS\system32\lsass.exe'

terminated unexpectedly with status code

0. The system will now shutdown and restart.

Anyways...

I ran into a few problems when I attempted to follow your instructions. Lets see if I can remember them now...

In hijackthis, when I went to fix what you told me to,

O4 - HKLM\..\Run: [lsass.exe] C:\WINDOWS\pchealth\helpctr\binaries\lsass.exe

O4 - HKLM\..\Run: [FmMgr.exe] C:\WINDOWS\system32\drivers\FmMgr.exe

were both gone. I did however 'fix' the rest without any problems.(at least to my knowledge, I think so)

Then when I went to do Avenger, when it wanted to reboot, it started to and got stuck at 'closing network connections' longer than I've ever seen the machine stuck at that part after any kind of scan or whatever Avenger does. So i held the power button 'til it shut off. I turned it back on and a logfile came up. To me it seemed like it deleted everything successfully, though I do recall seeing the word "failed" a few times here and there. Anyways, I went to run MBAM and when it wanted to reboot, it got stuck at 'closing network connections' again. So I just held the button again until it shut off. When It booted up again. I ran MBAM again just in case, and it found nothing. As you can see I posted both logs. I did however not find the first avenger log, the really detailed one. I ran Avenger again and the results are showed in the log I posted.

Link to post
Share on other sites

Sometimes not even 5 minutes, other times, maybe 20-30 minutes. Sometimes it wont come on for hours or not at all.

No unfortunately i do not have the windows xp cd. Is that something I can obtain online?

Oh, task manager still doesnt work and 2 new apps are still present in c:\ "8u1e5q9s9y8.exe" and "i4p5a1y7a7s7.exe"

Link to post
Share on other sites

  • Root Admin

Yes it is generating new code as we remove it, so we need to find the root cause to stop if from generating new Malware.

The lead developer has been out of town on business and hopefully should be back tonight. Though I'm sure he will be inundated with work I'll see if he has time to review this post and provide me some feedback on it. So I may or may not be able to get back to this until later this weekend or Monday.

As for the CD you could buy one online from places like Newegg.com or borrow one from a friend. We don't need their key, we just need the CD in case we need to do repairs that require the CD. Is this a Retail XP, OEM XP, or Volume License XP installation? What MFG and Model of PC ?

Link to post
Share on other sites

  • Root Admin

Well you might have the XP CD that we're looking for if HP/Compaq setup their recovery disks that way.

If you can press F8 while the computer is starting and get to the Microsoft Recovery Console we can try to run some repair routines.

If the computer is unable to open Windows XP Safe Mode, use Microsoft Windows Recovery Console:

Restart your computer in the Microsoft Windows Recovery Console.

  1. Turn off the computer by pressing and holding the power button until the computer shuts down.

  2. Wait about 5 seconds.

  3. Press the power button to turn on the computer.

  4. Turn on the computer and immediately begin pressing the F8 key repeatedly (at the HP or Compaq logo screen) until the Windows Advanced Options Menu appears.

  5. Press the Down Arrow key until Return to OS Choices Menu (bottom of list) is highlighted, and press the Enter key.

  6. Press the Down Arrow key until Microsoft Windows Recovery Console is highlighted, and press the Enter key.

  7. At the screen
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.