View Full Version : I have Tagasaurus, here is my HJT log
strocket
2006-10-30, 07:23
PLEASE HELP!!!
I also have a problem with my windows media player. It keeps giving me a error box that says i have a certain version and that it should be another version. Im not sure it this has anything to do with malware though?
Thanks for your help!!
Logfile of HijackThis v1.99.1
Scan saved at 12:15:03 AM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://unimax.us/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 109.354.0.142
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=196.162.0.458:3
R3 - URLSearchHook: (no name) - <default> - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fljut.exe
F3 - REG:win.ini: run=,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pgqxeid.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - blank (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\Run: [sys11-2002544790] C:\WINDOWS\sys11-2002544790.exe
O4 - HKLM\..\Run: [sys0302544790-20] C:\WINDOWS\sys0302544790-20.exe
O4 - HKLM\..\Run: [ms05544790-2002] C:\WINDOWS\ms05544790-2002.exe
O4 - HKLM\..\Run: [win320990-20025447] C:\WINDOWS\win320990-20025447.exe
O4 - HKLM\..\Run: [ms0644790-20025] C:\WINDOWS\ms0644790-20025.exe
O4 - HKLM\..\Run: [ms042544790-200] C:\WINDOWS\ms042544790-200.exe
O4 - HKLM\..\Run: [win3208790-2002544] C:\WINDOWS\win3208790-2002544.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Find Fast.lnk.disabled
O4 - Startup: Office Startup.lnk.disabled
O4 - Startup: Privoxy.lnk.disabled
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136452641804
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sysprotect.com/scanner/pages/scanner/SysProtectScannerInstall.cab
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O21 - SSODL: msvcrt64.dll - {F30A199C-D9FA-4BF2-A1CD-884496D6B37A} - msvcrt64.dll (file missing)
O21 - SSODL: qwcAPoEOH - {88A3976B-2209-3DC1-9913-0BC68DE7CE87} - C:\WINDOWS\System32\tqp.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
shelf life
2006-11-03, 01:10
hi strocket,
you have quite a collection.
if you still need some help:
first move hjt out of the temp dir or just delete it and redownload it following this:
* Downloads:
* Please make sure you have the latest version. HJT 1.99.1
* http://www.downloads.subratam.org/hijackthis.zip
* If you are unfamiliar with zip programs get HijackThis.exe here:
* http://www.merijn.org/files/HijackThis.exe
* First put hijackthis into a permanent folder.
* Do this first - go to C: and create a new permanent folder.
Example C:\AntiSpyWare or C:\hijackthis
* This is necessary to ensure you have backups should anything go wrong.
* Then put (or download - choose "save" not "run") the hijackthis.exe file in this folder.
If you downloaded a zipped HJT file unzip it to the permanent folder so you have C:\hijackthis\hijackthis.exe.
* Example of the wrong way:
C:\DOCUME~1\Name\LOCALS~1\Temp\Temporary Directory for hijackthis.zip\HijackThis.exe
* Running hjt from the wrong folder may delay assistance as your helper will have to ask for a new log
* Double click HijackThis.exe.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a "Save Log" button.
------------------------------------------------------------------------
next: go out and grab avg antispyware (ewido). install, and update it, then do a scan with it:
http://www.ewido.net/en/
i dont see any antivirus app so:
first stop:
Kaspersky virus scanner
http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner button. accept the statement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:(may take awhile to complete)
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
>Extended (if available otherwise Standard)
o Scan Options:
>Scan Archives
>Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
-------------------------------------------------------------------------
after that please rescan with hjt and post another hjt log, more to do
shelf life
strocket
2006-11-03, 06:37
Here is my new log:
Logfile of HijackThis v1.99.1
Scan saved at 11:36:44 PM, on 11/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ocsqtd.exe
C:\WINDOWS\system32\fljut.exe
C:\WINDOWS\system32\fljut.exe
C:\WINDOWS\system32\fljut.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hijack this\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://unimax.us/clickpps.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=196.162.0.458:3
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fljut.exe
F3 - REG:win.ini: run=,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pgqxeid.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - blank (file missing)
O4 - HKLM\..\Run: [ntwitb] C:\WINDOWS\system32\ocsqtd.exe reg_run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [anotherap2] C:\WINDOWS\mmpopoct.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\Run: [gaykkun.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gaykkun.dll,tttgsvf
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\Run: [hdlpscom] netgzygt.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\RunServices: [hdlpscom] netgzygt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [kpeju] C:\WINDOWS\system32\ocsqtd.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\17360818.exe
O4 - HKCU\..\Run: [Winsty] C:\WINDOWS\loader429097.exe
O4 - Startup: Microsoft Find Fast.lnk.disabled
O4 - Startup: Office Startup.lnk.disabled
O4 - Startup: Privoxy.lnk.disabled
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: fkpuucvm.t
O4 - Global Startup: gjera.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O4 - Global Startup: tncqgurm.t
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162193441020
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sysprotect.com/scanner/pages/scanner/SysProtectScannerInstall.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - C:\Program Files\Batty2\Batty2.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O21 - SSODL: msvcrt64.dll - {F30A199C-D9FA-4BF2-A1CD-884496D6B37A} - msvcrt64.dll (file missing)
O21 - SSODL: qwcAPoEOH - {88A3976B-2209-3DC1-9913-0BC68DE7CE87} - C:\WINDOWS\System32\tqp.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\YmlnIGJveg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qbppbeb.exe (file missing)
shelf life
2006-11-04, 01:34
hi strocket,
you forgot to due the online av scan. this may take awhile to do all this.
read thru this thread, in fact copy/paste it into notepad and save it somewhere like your desktop so you can find it later. the thread is the directions to follow for the smitfraudFix. some of the fix requires you to be in safe mode. looks like all you need to download is the smitfraudfix itself, the rest you have. you might want to copy/paste this reply to notepad also because we will be using hjt in safe mode after the smitfraudFix.
the thread to read copy/paste for the smitfraudFix:
http://forums.spybot.info/showthread.php?t=4015
------------------------------------------------------------------------------------
first>> follow the directions in the thread for the smitfraudFix
after step 10 --->instead of rebooting, still in safe mode<--- do this:
(copy/paste this to notepad also so you can read it in safe mode)
start hjt::
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked. (if you cant find some of these after doing the above, dont worry about it)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://unimax.us/clickpps.php
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fljut.exe
F3 - REG:win.ini: run=,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pgqxeid.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - blank (file missing)
O4 - HKLM\..\Run: [ntwitb] C:\WINDOWS\system32\ocsqtd.exe reg_run
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [anotherap2] C:\WINDOWS\mmpopoct.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\Run: [gaykkun.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gaykkun.dll,tttgsvf
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\Run: [hdlpscom] netgzygt.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
O4 - HKLM\..\RunServices: [hdlpscom] netgzygt.exe
O4 - HKCU\..\Run: [kpeju] C:\WINDOWS\system32\ocsqtd.exe reg_run
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\17360818.exe
O4 - HKCU\..\Run: [Winsty] C:\WINDOWS\loader429097.exe
O4 - Global Startup: fkpuucvm.t
O4 - Global Startup: gjera.exe
O4 - Global Startup: tncqgurm.t
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - C:\Program Files\Batty2\Batty2.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O21 - SSODL: msvcrt64.dll - {F30A199C-D9FA-4BF2-A1CD-884496D6B37A} - msvcrt64.dll (file missing)
O21 - SSODL: qwcAPoEOH - {88A3976B-2209-3DC1-9913-0BC68DE7CE87} - C:\WINDOWS\System32\tqp.dll (file missing)
still in safe mode do this:
start>run: type in services.msc in the window.
in the list that comes up under the name column look for>>>Command Service (cmdService) and Windows Overlay Components
for each one do this:
right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled
------------------------------------------------
still in safe mode, we will look for and delete some files, but first do this to show all file:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
now using explorer see if you can find and delete just these files in there dir:
if you cant find any, dont worry
in the C:\WINDOWS dir look for these to delete:
Duce6.exe
taskdir.exe
loader429097.exe
in the C:\WINDOWS SYSTEM32 dir look for these to delete:
ocsqtd.exe
fljut.exe
testtestt.exe
spoolsvv.exe
adirss.exe
wservice.exe
taskdir.exe
last thing in safe mode, look for these in the add/remove programs panel and uninstall if present:
webHancer
DeluxeCommunications
----------------------------------------------------------------------------
after all the above, please reboot computer normally. first stop is here: for a online scan
Kaspersky virus scanner
http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner button. accept the statement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:(may take awhile to complete)
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
>Extended (if available otherwise Standard)
o Scan Options:
>Scan Archives
>Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
---------------------------------------------------
next stop is here:
1. Download this file :
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
so in next reply please post a 1) new scan done with hjt after doing all the above
2)the combofix log.
-------------------------------------------------------
how long have you been without antivirus, you need a free one?
strocket
2006-11-06, 20:19
Shelf Life... Im sorry it has takin so long for me to reply. Im having a bigger problem now. Something has prevented me from entering safe mode. once im in safe mode it freezes and i cant do anything. I tried using my drive as a slave and running the procedure you gave me on another computer but the other computer I have is a compaq and it wont allow me to use another drive.
shelf life
2006-11-07, 01:15
hi strocket,
no problem.
the fixes would be best in safe mode but if thats not possible we can do them in normal mode hopefully cleaning it up some if malware is the cause of the safe mode problem.
where you able to download the needed apps to run on the computer. dosnt sound like it if you took the drive out.
i would use this computer as little as possible, (connected to the internet that is) in fact i would pull the ethernet cable out of the NIC in the back or at the other end if you have a router.
how about using the other computer (compaq) to download and burn stuff to cd then transfer it over to the other computer or a usb flash drive for transfer of files from one to the other, is that possible?
must be another problem with the compaq not seeing the slave drive, all computers should be able to use more than a single drive. check device mgr to see if its listed or the BIOS for detection of the slave hd.
the other app for the fix is drweb, just download it to your desktop for now:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
let me know if you manage to get the files downloaded one way or another then we will proceed. we can try the fixes in "normal" mode. we could also manually try to delete some files and use hjt to help clean the drive up some.
shelf life
strocket
2006-11-08, 04:43
ok im up and running again. here is my most recent hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 9:43:03 PM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\aspi549711.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack this\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://unimax.us/clickpps.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 109.354.0.142
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=196.162.0.458:3
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fljut.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pgqxeid.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ntwitb] C:\WINDOWS\system32\ocsqtd.exe reg_run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [anotherap2] C:\WINDOWS\mmpopoct.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [gaykkun.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gaykkun.dll,tttgsvf
O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\Run: [hdlpscom] netgzygt.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms0644790-20025] C:\WINDOWS\ms0644790-20025.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] C:\WINDOWS\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [hdlpscom] netgzygt.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] C:\WINDOWS\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [kpeju] C:\WINDOWS\system32\ocsqtd.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [Winsty] C:\WINDOWS\loader429097.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] C:\WINDOWS\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [Winstz] C:\WINDOWS\loader1760671.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1A1701686.exe
O4 - Startup: Microsoft Find Fast.lnk.disabled
O4 - Startup: Office Startup.lnk.disabled
O4 - Startup: Privoxy.lnk.disabled
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: fkpuucvm.t
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O4 - Global Startup: tncqgurm.t
O4 - Global Startup: vrstehkd.t
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162193441020
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sysprotect.com/scanner/pages/scanner/SysProtectScannerInstall.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - C:\Program Files\Batty2\Batty2.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O21 - SSODL: msvcrt64.dll - {F30A199C-D9FA-4BF2-A1CD-884496D6B37A} - msvcrt64.dll (file missing)
O21 - SSODL: qwcAPoEOH - {88A3976B-2209-3DC1-9913-0BC68DE7CE87} - C:\WINDOWS\System32\tqp.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi549711.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)
shelf life
2006-11-09, 03:15
hi strocket,
how long have you been without antivirus software?
i would seriously consider reformatting your hard drive.
first we will use hjt, then go do two online scans. get a free resident antivirus app and run some scans in safe mode.
first please disable avg spywareguard if running by clicking and disabling it from the icon by the clock.
---------------------------------------------------------
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\fljut.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pgqxeid.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ntwitb] C:\WINDOWS\system32\ocsqtd.exe reg_run
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [anotherap2] C:\WINDOWS\mmpopoct.exe
O4 - HKLM\..\Run: [gaykkun.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gaykkun.dll,tttgsvf
O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\Run: [hdlpscom] netgzygt.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms0644790-20025] C:\WINDOWS\ms0644790-20025.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] C:\WINDOWS\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [hdlpscom] netgzygt.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] C:\WINDOWS\system32\_mzu_stonedrv3.exe
O4 - Global Startup: fkpuucvm.t
O4 - Global Startup: tncqgurm.t
O4 - Global Startup: vrstehkd.t
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
------------------------------------------------
first stop:
Panda ActiveScan
http://www.pandasoftware.com/products/activescan.htm
* click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country if not already posted
* Enter your State or Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If prompted to install an ActiveX component-- allow it
* It will start downloading files it needs for the scan
* When download is complete, click on My Computer icon to start scan
* When the scan completes, if anything malicious is found, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report in reply
----------------------------------------------------------------------------------------------
2nd stop
Kaspersky virus scanner
http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner button. accept the statement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:(may take awhile to complete)
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
>Extended (if available otherwise Standard)
o Scan Options:
>Scan Archives
>Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
------------------------------------------------------------
3rd stop:
download avg antivirus, install and update, but dont scan yet. if you can get into safe mode please scan with avg antivirus, and avg antimalware. if you cant get into safemode do them in normal mode.
avg antivirus:
http://free.grisoft.com/softw/70free/setup/avg75free_430a828.exe
------------------------------------------------------------
please post the saved panda active scan and a new hjt log. more to do.
shelf life
strocket this topic is closed due to lack of a response.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.