PDA

View Full Version : Out of Control in Clearwater, FL.



drlaw
2006-09-26, 00:32
Thank you tashi for explaining the procedures. I really let something bad in this time! Normally I can find and fix problems that get into my system but this time it's out of hand. I am operating in "Safe Mode while Networking" because I can't even log into "Normal Mode" due to the problems I have. I ran Spybot, Ad-Aware SE Personal, and every other free program I could acquire including HiJack This. I may have deleted some files needed to get into normal mode in XP and don't have an XP disk but will handle that after I can get rid of these issues. I am currently running McAfree VirusScan as well. I have included my HiJack This log below and could use some help ASAP.

THANK YOU ALL FOR ANY ASSISTANCE!

Logfile of HijackThis v1.99.1
Scan saved at 4:25:08 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6UHTEKYI\Windows-KB890830-V1.20[1].exe
c:\6019c1248597457d80\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XM1R12SH\stng260[1].exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\katdc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,uubhmlv.exe
O2 - BHO: (no name) - {075738E0-4E91-949D-E247-086D6976722D} - C:\WINDOWS\system32\efuykhi.dll
O2 - BHO: (no name) - {14CC93EB-4A0E-F4F1-57F1-091E3A487F08} - C:\WINDOWS\system32\rohhwrn.dll
O2 - BHO: (no name) - {17C3B378-B76C-8217-3E2D-093B4F06E913} - C:\WINDOWS\system32\hlbsjxn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {708DCA05-C114-8443-5508-0178C5969822} - C:\WINDOWS\system32\drculeb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4856/mcfscan.cab
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\dnnm0151e.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

pskelley
2006-09-26, 13:16
Welcome to the forum, I will see what I can do with these limitations. I see a Qoologic trojan and other junk, and suggest you proceed like this.

1) You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2) Thanks to sUBs and anyone who helped with this fix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

3) Post a new HJT log also.

Thanks

tashi
2006-10-03, 00:35
Still with us drlaw?

LonnyRJones
2006-10-07, 07:08
Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.