View Full Version : Major Problems
ok i am having a LOT of problems. i will start from the beginning.
i was downloading some files on edonkey (which i will never do again by the way!!!) and i decided to leave the room for awhile. i can back about 20 minutes later and found about 30 popups on my comp. i had to restart the comp to even be able to do anything. after i restarted i ran spybot and deleted about 50 diff things with it. but after i restarted there were a bunch of problems again. then i ran my anti virus program (trend anti virus). this detected about 30 viruses which i then removed. even after that i was still having problems. i was still getting popups. i was having a problem with my windows installer poping up continually. also i couldnt and still cant get my firewall to work. it says due to an unidentified problem windows cannot display firewall settings. then i ran spybot again and removed things yet again. after i did this most of the problems were gone. then i uninstalled all my java programs intending to install the newest version. unfortunately as i was doing this all my previous problems came back and after running spybot multiple times in safemode and running my antivirus i am still having many problems. teatimer is curently blocking things continually. i am about to run spybot again and after i do i will post the log. Tashi and Md usa spybot fan have been giving me advice and i have tried to do what i can but i just cant get this fixed. PLEASE HELP!!!!!! :)
by the way i want to thank Tashi and MD for all the help so far. they have givin me hope that i can fix my problems.
Previous topic:
http://forums.spybot.info/showthread.php?t=3272
oh by the way the things that teatimer is blocking continually are as follows
denied change of mlbjrc (category system startup global entry)
denied change of jhhkt (category system startup global entry)
they just keep poping up all the time.
sorry those are user entries not global
kioska you need to post the HJT log, no need for another Spybot log. :)
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)
ok i ran spybot again and found multiple items again. removed them and made a log.
LonnyRJones
2006-04-03, 23:23
For now turn off tea timer and dont turn it back on untill we suggest it please
Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
I see youve been using msconfig, we need to see everything, do undue those changes, then a Hijackthis log made with hijackthis in a folder of its own, not ran from a temporary folder
ok i got hijack this and installed it. ran it and it made a log. hope this is what u need. THANK YOU very much for helping me.
whoops dont think that worked. once again.
i cant seem to attach the file ill list it here.
Logfile of HijackThis v1.99.1
Scan saved at 4:07:10 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\windowsautomaticupdates.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\trend antivirus\PCClient.exe
E:\trend antivirus\TMOAgent.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\winrar\WinRAR.exe
E:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oyuydkp.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8BC00F10-96FD-D143-AF6D-BF5E631D66C3} - C:\WINDOWS\system32\cccxt.dll (file missing)
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - E:\anonymizer\AnonIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [w0961b1f.dll] RUNDLL32.EXE w0961b1f.dll,I2 00015a5f00961b1f
O4 - HKLM\..\Run: [PCClient.exe] "E:\trend antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\trend antivirus\TMOAgent.exe" /run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\adobe\Reader\reader_sl.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - E:\bodog\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\ipod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - E:\ROGERW~1\ROGERW~1\rwbs\rwbs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Automatic Updates - Stanford University - C:\WINDOWS\system32\windowsautomaticupdates.exe
LonnyRJones
2006-04-04, 03:32
Go attach this file
C:\WINDOWS\system32\windowsautomaticupdates.exe
here please http://www.thespykiller.co.uk/forum/index.php?board=1.0
let us know when thats done
Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download It to C:\ dont start it yet
Go start run type
blbeta /expert
and hit ok or enter, click > scan then (wait untill its finished)> next, next again then exit there will be a new txt near blacklite. post it please.
hope this is what u want
04/03/06 20:03:13 [Info]: BlackLight Engine 1.0.35 initialized
04/03/06 20:03:13 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/03/06 20:03:13 [Note]: 7019 4
04/03/06 20:03:13 [Note]: 7005 0
04/03/06 20:03:15 [Note]: 7006 0
04/03/06 20:03:15 [Note]: 7011 1416
04/03/06 20:03:16 [Note]: 7026 0
04/03/06 20:03:16 [Note]: 7026 0
04/03/06 20:03:16 [Note]: 7024 3
04/03/06 20:03:16 [Info]: Hidden process: C:\WINDOWS\system32\ntwrse.exe
04/03/06 20:03:16 [Note]: 7024 3
04/03/06 20:03:16 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/03/06 20:03:16 [Note]: 7024 3
04/03/06 20:03:16 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/03/06 20:03:16 [Note]: 7024 3
04/03/06 20:03:16 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/03/06 20:03:16 [Note]: FSRAW library version 1.7.1015
04/03/06 20:04:44 [Info]: Hidden file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gbisy.exe
04/03/06 20:04:44 [Note]: 10002 1
04/03/06 20:06:13 [Info]: Hidden file: C:\WINDOWS\system32\oyuydkp.exe
04/03/06 20:06:13 [Note]: 10002 1
04/03/06 20:06:18 [Info]: Hidden file: C:\WINDOWS\system32\ntwrse.exe
04/03/06 20:06:18 [Note]: 10002 1
04/03/06 20:06:19 [Info]: Hidden file: C:\WINDOWS\system32\tbvrjmb.dll
04/03/06 20:06:19 [Note]: 10002 1
04/03/06 20:06:24 [Info]: Hidden file: C:\WINDOWS\system32\ednvs.exe
04/03/06 20:06:24 [Note]: 10002 1
04/03/06 20:06:35 [Info]: Hidden file: C:\WINDOWS\modxj.dll
04/03/06 20:06:35 [Note]: 10002 1
04/03/06 20:07:55 [Note]: 7007 0
i posted what i think is the right thing on the other site. not really sure if i did it right. there were 2 files with the same name and neither were a .exe that i could see.
sorry if im doing things wrong im not the best with this kind of stuff.
LonnyRJones
2006-04-04, 07:26
Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
and delete each of these file's, click no to the message to restart the PC after each.
(exact spelling counts!!! so dont browse to the files)
Copy/Paste these into the File name box then click Open, one at a time of cource.
C:\WINDOWS\system32\dmonwv.dll
then do
C:\WINDOWS\system32\windowsautomaticupdates.exe
Exit Hijackthis
Run Blacklite again the same way,. start run blbeta /expert
scan > next > select each file and choose rename for all of them,
next , Let Blackite restart your PC
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gbisy.exe
04/03/06 20:06:13 [Info]: Hidden file: C:\WINDOWS\system32\oyuydkp.exe
04/03/06 20:06:18 [Info]: Hidden file: C:\WINDOWS\system32\ntwrse.exe
04/03/06 20:06:19 [Info]: Hidden file: C:\WINDOWS\system32\tbvrjmb.dll
04/03/06 20:06:24 [Info]: Hidden file: C:\WINDOWS\system32\ednvs.exe
04/03/06 20:06:35 [Info]: Hidden file: C:\WINDOWS\modxj.dll
=============
There will be a windows error message, windows cannot open such and such file, cancel that, post back with another hijackthis log
ok not sure if i did all this right but i got my fingers crossed !!! :)
Heres the new log
Logfile of HijackThis v1.99.1
Scan saved at 11:49:18 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\trend antivirus\PCClient.exe
E:\trend antivirus\TMOAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oyuydkp.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8BC00F10-96FD-D143-AF6D-BF5E631D66C3} - C:\WINDOWS\system32\cccxt.dll (file missing)
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - E:\anonymizer\AnonIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [w0961b1f.dll] RUNDLL32.EXE w0961b1f.dll,I2 00015a5f00961b1f
O4 - HKLM\..\Run: [PCClient.exe] "E:\trend antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\trend antivirus\TMOAgent.exe" /run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\adobe\Reader\reader_sl.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - E:\bodog\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\ipod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - E:\ROGERW~1\ROGERW~1\rwbs\rwbs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Automatic Updates - Unknown owner - C:\WINDOWS\system32\windowsautomaticupdates.exe (file missing)
LonnyRJones
2006-04-04, 08:57
Were there any problems renaming the files with Blacklite ?
run it once more the same way , let me know if any files show or not ?
ok i did blacklight wrong. i just ran it not actually starting it with start run. i tried to do it again but it wont run that way. when i try to run it it says it cant find it. when i did that i just ran it by clicking on it. i saved it to my c drive. sorry about that. is there something im missing?
LonnyRJones
2006-04-04, 09:10
Go start run
c:\blbeta /expert
ok that worked! ran it , renamed em, restarted, got the error message and heres the new hijack log!
Logfile of HijackThis v1.99.1
Scan saved at 12:30:27 AM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\trend antivirus\PCClient.exe
E:\trend antivirus\TMOAgent.exe
E:\adobe\Reader\reader_sl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oyuydkp.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8BC00F10-96FD-D143-AF6D-BF5E631D66C3} - C:\WINDOWS\system32\cccxt.dll (file missing)
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - E:\anonymizer\AnonIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [w0961b1f.dll] RUNDLL32.EXE w0961b1f.dll,I2 00015a5f00961b1f
O4 - HKLM\..\Run: [PCClient.exe] "E:\trend antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\trend antivirus\TMOAgent.exe" /run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\adobe\Reader\reader_sl.exe
O4 - Global Startup: gbisy.exe.ren
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - E:\bodog\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\ipod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - E:\ROGERW~1\ROGERW~1\rwbs\rwbs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Automatic Updates - Unknown owner - C:\WINDOWS\system32\windowsautomaticupdates.exe (file missing)
LonnyRJones
2006-04-04, 09:40
Great
Open a command prompt (start run type cmd press enter) type
sc delete "Windows Automatic Updates"
press enter, type exit and press enter to exit the command prompt
Start Hijackthis and place a check next to these items If there.
http://red.clientapps.yahoo.com/cust...ch/search.html
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,oyuydkp.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: (no name) - {8BC00F10-96FD-D143-AF6D-BF5E631D66C3} - C:\WINDOWS\system32\cccxt.dll (file missing)
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
O4 - HKLM\..\Run: [w0961b1f.dll] RUNDLL32.EXE w0961b1f.dll,I2 00015a5f00961b1f
O4 - Global Startup: gbisy.exe.ren
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
Post back with another hijackthis log
ok i think i completed all of the above heres the log
Logfile of HijackThis v1.99.1
Scan saved at 1:42:13 AM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\trend antivirus\PCClient.exe
E:\trend antivirus\TMOAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oyuydkp.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - E:\anonymizer\AnonIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCClient.exe] "E:\trend antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\trend antivirus\TMOAgent.exe" /run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\adobe\Reader\reader_sl.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - E:\bodog\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\ipod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - E:\ROGERW~1\ROGERW~1\rwbs\rwbs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
LonnyRJones
2006-04-04, 15:56
Looks like it came back, run blacklite again the same as before (/expert), post another of its logs.
yep 6 hidden again
04/04/06 00:22:05 [Info]: BlackLight Engine 1.0.35 initialized
04/04/06 00:22:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/04/06 00:22:05 [Note]: 7019 4
04/04/06 00:22:05 [Note]: 7005 0
04/04/06 00:22:14 [Note]: 7006 0
04/04/06 00:22:14 [Note]: 7022 0
04/04/06 00:22:14 [Note]: 7011 1460
04/04/06 00:22:14 [Note]: 7026 0
04/04/06 00:22:14 [Note]: 7026 0
04/04/06 00:22:14 [Note]: 7024 3
04/04/06 00:22:14 [Info]: Hidden process: C:\WINDOWS\system32\ntwrse.exe
04/04/06 00:22:14 [Note]: 7024 3
04/04/06 00:22:14 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/04/06 00:22:14 [Note]: 7024 3
04/04/06 00:22:14 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/04/06 00:22:14 [Note]: 7024 3
04/04/06 00:22:14 [Info]: Hidden process: C:\WINDOWS\system32\ednvs.exe
04/04/06 00:22:14 [Note]: FSRAW library version 1.7.1015
04/04/06 00:23:30 [Info]: Hidden file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gbisy.exe
04/04/06 00:23:30 [Note]: 10002 1
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:35 [Note]: 4020 9663 65536
04/04/06 00:23:35 [Note]: 4018 9663 65536
04/04/06 00:23:36 [Note]: 4020 9663 65536
04/04/06 00:23:36 [Note]: 4018 9663 65536
04/04/06 00:23:51 [Note]: 4020 32851 196608
04/04/06 00:23:51 [Note]: 4018 32851 196608
04/04/06 00:23:51 [Note]: 4020 32851 196608
04/04/06 00:23:51 [Note]: 4018 32851 196608
04/04/06 00:23:51 [Note]: 4020 32851 196608
04/04/06 00:23:51 [Note]: 4018 32851 196608
04/04/06 00:23:51 [Note]: 4020 32851 196608
04/04/06 00:23:51 [Note]: 4018 32851 196608
04/04/06 00:23:51 [Note]: 4020 32853 327680
04/04/06 00:23:51 [Note]: 4018 32853 327680
04/04/06 00:23:51 [Note]: 4020 32853 327680
04/04/06 00:23:51 [Note]: 4018 32853 327680
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32845 196608
04/04/06 00:23:58 [Note]: 4018 32845 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:23:58 [Note]: 4020 32860 196608
04/04/06 00:23:58 [Note]: 4018 32860 196608
04/04/06 00:24:32 [Note]: 4013 29108
04/04/06 00:24:32 [Note]: 4020 30161 262144
04/04/06 00:24:32 [Note]: 4020 30161 262144
04/04/06 00:24:32 [Note]: 4018 30161 262144
04/04/06 00:24:32 [Note]: 4013 29108
04/04/06 00:24:32 [Note]: 4020 30161 262144
04/04/06 00:24:32 [Note]: 4018 30161 262144
04/04/06 00:25:05 [Info]: Hidden file: C:\WINDOWS\system32\oyuydkp.exe
04/04/06 00:25:05 [Note]: 10002 1
04/04/06 00:25:09 [Info]: Hidden file: C:\WINDOWS\system32\ntwrse.exe
04/04/06 00:25:09 [Note]: 10002 1
04/04/06 00:25:10 [Info]: Hidden file: C:\WINDOWS\system32\tbvrjmb.dll
04/04/06 00:25:10 [Note]: 10002 1
04/04/06 00:25:15 [Info]: Hidden file: C:\WINDOWS\system32\ednvs.exe
04/04/06 00:25:15 [Note]: 10002 1
04/04/06 00:25:25 [Info]: Hidden file: C:\WINDOWS\modxj.dll
04/04/06 00:25:25 [Note]: 10002 1
04/04/06 00:26:39 [Note]: 7007 0
LonnyRJones
2006-04-05, 00:03
Run blacklite again the same way, from start run
and rename all of those file's. in some infections legit files can show like explorer.exe, but not this paticular infection, so rename anything that shows
and let blacklite restart your pc after you have renamed all the files.
ok done. should i run blacklight again and post another log?
LonnyRJones
2006-04-05, 00:23
Yes, just to see if any files show, if not then post a hijackthis log.
damn all 6 found again :(
LonnyRJones
2006-04-05, 00:37
OK lets try Killbox (by Option_explicit)
Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox what version is it ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.
C:\WINDOWS\system32\oyuydkp.exe
C:\WINDOWS\system32\ntwrse.exe
C:\WINDOWS\system32\tbvrjmb.dll
C:\WINDOWS\system32\ednvs.exe
C:\WINDOWS\modxj.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gbisy.exe
Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.
Run Blacklite again, any files show ?
If not Post a fresh hijackthis log
0 HIDDEN ITEMS FOUND!!!! :)
heres the jack log
Logfile of HijackThis v1.99.1
Scan saved at 3:48:48 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\trend antivirus\PCClient.exe
E:\trend antivirus\TMOAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oyuydkp.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\lewis\Application Data\Mozilla\Profiles\default\90h2q8uy.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - E:\anonymizer\AnonIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCClient.exe] "E:\trend antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\trend antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [mlbjrc] C:\WINDOWS\system32\ntwrse.exe reg_run
O4 - HKCU\..\Run: [jhhkt] C:\WINDOWS\system32\ntwrse.exe reg_run
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\adobe\Reader\reader_sl.exe
O4 - Global Startup: gbisy.exe.ren
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - E:\bodog\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\ipod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - E:\ROGERW~1\ROGERW~1\rwbs\rwbs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
LonnyRJones
2006-04-05, 00:55
That did it
Start Hijackthis and place a check next to these items If there.
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ednvs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,oyuydkp.exe
O4 - HKLM\..\Run: [mlbjrc] C:\WINDOWS\system32\ntwrse.exe reg_run
O4 - HKCU\..\Run: [jhhkt] C:\WINDOWS\system32\ntwrse.exe reg_run
O4 - Global Startup: gbisy.exe.ren
Optional fix >
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Let us know if there are any problems
thanks for the help. unforunately 2 of my problems are still here.
when i try to start my antivirus program it doesnt start. it says the system is busy and is unable to query the Real-time Scanning service status. please restart.
also it still wont let me start my firewall. says due to an unidentified problem windows cannot display windows firewall settings
LonnyRJones
2006-04-05, 01:25
Uninstall the antivirus program restart the PC and install again, tried that yet ?
Thanks for quoting the other error
http://windowsxp.mvps.org/sharedaccess.htm
ok reinstalled the antivirus and did a scan. found 26 viruses. 5 of which are from killbox and 2 of which are from hijackthis. should i delete them all?
also when i try to download the sharedaccess.reg for the firewall it tries to download as a text document. am i doing something wrong?
LonnyRJones
2006-04-05, 02:18
Yes go ahead and let it delete all of them
Try rightclick "save target as" on the link to that reg file, and save it to your desktop, then run, any luck ?
Also there are a couple links near the bottom that might help if the reg file doesnt.
Why not use a third party firewall, they are much better than SP2's builtin firewall.
thanks for everything am very gratefull for all the help. im gonna use a diff firewall that was on the other post u provided. gonna follow ALL the advice on that post as well!!! :)
once im done with everything ill check with antivirus and spybot again and see if theres anything left.
wow u guys are fantastic!! virus detected nothing and spybot detected nothing!! i feel safe again. and now i am using zone alarm for my firewall. using a bunch of new things as suggested. i cant thank u enough for all the help!!
i have one more problem that im hopin u can help me with. i downloaded java and installed it but it doesnt seem to work. any ideas?
LonnyRJones
2006-04-05, 06:06
What does it say here ?
Java test: http://java.com/en/download/help/testvm.jsp
ok got it working thanks once again!!! :)
LonnyRJones
2006-04-05, 11:42
Great
Post back in a day or two and let us know how the PC is acting please
sorry it took so long to update u!!
things are doing great. althought there is still one problem. i still here a clicking noise on occasion. its the same noise that u here when u access a file. happens randomly when im not doing anything. makes me very nervous like someone is using my comp without me knowing it.
as far as viruses go i run anti virus daily and have caught a few new ones. when i run spybot it almost always comes up clean!! :)
i installed zone alarm firewall and so far almost 10,000 access attempts blocked. that seems a little excesive. but i am very glad i have zone alarm now and not windows firewall. windows firewall is useless!!
its actually time for another scan with spybot and antivirus. ill post back with the results!!
just updated spybot and antivirus and scanned again. no siruses and no spyware!! :)
thank u once again for all the help. i will be making a donation to spybot when my funds allow!! also i will be telling everyone i know about the great experience i had with u guys!!
LonnyRJones
2006-04-10, 06:18
Good to hear your pc is ok
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.