well, today i woke up to my brother yelling about popups, and somehow my computer overnight got absolutely infested by adware and such, and popups were coming left and right. I've been working for around 4 hours to fix this, and i think i almot got it down, except cmdservice and this dll file that keeps changing its name whenever i shut it down, one example of the name is m0456lahs1d46.dll in system32 folder, and everytime i delete it it comes right back with a new name. I can't post a HJT log, but I'm positive the only malicious thing on it is that dll file. Can anyone help?

well, today i woke up to my brother yelling about popups, and somehow my computer overnight got absolutely infested by adware and such, and popups were coming left and right. I've been working for around 4 hours to fix this, and i think i almot got it down, except cmdservice and this dll file that keeps changing its name whenever i shut it down, one example of the name is m0456lahs1d46.dll in system32 folder, and everytime i delete it it comes right back with a new name. I can't post a HJT log, but I'm positive the only malicious thing on it is that dll file. Can anyone help?

And I forgot to mention during the "fixing" i dleted anythign on HJT that looked remotely suuspicious, and the internet eventually went down, None of the other comps on my network are down. Could that be the problem, me deleting something important? Haha ;/ and if so how can I fix it? I already used system restore

And I forgot to mention during the "fixing" i dleted anythign on HJT that looked remotely suuspicious, and the internet eventually went down, None of the other comps on my network are down. Could that be the problem, me deleting something important? Haha ;/ and if so how can I fix it? I already used system restore
aaand I got the internet to fix, so.

Logfile of HijackThis v1.99.1
Scan saved at 2:06:59 AM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\AIM\aim.exe
D:\WINDOWS\system32\svchost.exe
D:\DOCUME~1\Computer\LOCALS~1\Temp\Rar$EX00.484\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [atjd6631] RUNDLL32.EXE w79ce80b.dll,n 001d66300000000379ce80b
O4 - HKLM\..\Run: [w79d289e.dll] RUNDLL32.EXE w79d289e.dll,I2 001d6630079d289e
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{995ACCDA-83AC-45FC-A289-CB77374AF38E}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7C7EBCA-85A7-4ECD-AA44-D0A0B711A264}: NameServer = 192.168.1.1
O20 - Winlogon Notify: Shell Extensions - D:\WINDOWS\system32\fp4803hue.dll

[QUOTE=modernlife]aaand I got the internet to fix, so.
Logfile of HijackThis v1.99.1
Scan saved at 1:19:05 PM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Winamp\winamp.exe
D:\DOCUME~1\Computer\LOCALS~1\Temp\Rar$EX00.484\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Steam] "d:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iwaut] D:\WINDOWS\system32\miocse.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{995ACCDA-83AC-45FC-A289-CB77374AF38E}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7C7EBCA-85A7-4ECD-AA44-D0A0B711A264}: NameServer = 192.168.1.1
O20 - Winlogon Notify: App Paths - D:\WINDOWS\system32\k2080cduef080.dll
O20 - Winlogon Notify: CSCSettings - D:\WINDOWS\system32\j40sled71h0.dll (file missing)
O20 - Winlogon Notify: Reinstall - D:\WINDOWS\system32\m046lahs1d46.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\jt8407lqe.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HoudiniLicenseServer - Side Effects Software Inc. - D:\WINDOWS\system32\sesinetd.exe
O23 - Service: HoudiniServer - Side Effects Software Inc. - D:\WINDOWS\system32\hserver.exe


I got almost EVERYTHING fixed except my devices arent being recognized at ALL
http://img227.imageshack.us/img227/4306/screenshot009zw4.jpg
http://img127.imageshack.us/img127/6969/screenshot008eu3.jpg
http://img114.imageshack.us/my.php?image=screenshot010qn8.jpg

Hello and welcome to the forum. If you still need help and are not receiving it elsewhere, follow these instructions.

1) HJT is running from an unsafe TEMP folder where it can store no backups if needed for safety. I prefer you move it here: C:\HJT\HijackThis.exe. If you need more instructions, use these:
http://russelltexas.com/malware/createhjtfolder.htm
http://www.bleepingcomputer.com/forums/tutorial94.html
Please don't proceed until you fix this.

2) You are running MSConfig in Selective Startup mode. I must see all logs in Normal Mode unless I request otherwise.

3) Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Restart the computer and post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log along with any comments you think will help. We will have more to do.

Thanks...pskelley
Safer Networking Forums

modernlife?

This topic is closed due to lack of a response to helper.

If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.