|
I need help
|
|
|
trishajoy
Junior Member
|
31. March 2007 @ 13:12 |
Link to this message
|
|
I was on Paltalk the other day and a popup came up. It slowed my comp. down and started some thing downloading and Nods32 came up and told me it was a possible virus or some other... anyway picked scan for analaysis and delete. Well, it must have caught it too late because I was getting message that my comp. was infected and so I ran the Nod32 scan and clean. It found one... deleted it.
Well the next morning I go to turn on my comp. and a message pops up telling me that DCOM launch service unexpectdly quit and then counts down to shut off my comp. What is this?
I found my way around this by going in through starting up my comp. in last known working phase. It still came up, but I was able to quickly pick selective start in my msconfig. and I can get up and going on my selective startup, which is very selective... I have no sound and don't know what to do, to help things get back to good. I have ran NOD32 again, it finds nothing.... sigh!
I have ran adaware and it found plenty and deleted them, but still here I am.... in this selective start because of that shut off box that comes up. Please please help me figure out how to fix this.
|
|
Advertisement
|
 |
|
|
|
KotaGuy
Member
|
31. March 2007 @ 17:17 |
Link to this message
|
Download HijackThis.
Run the program. Click the Do a System Scan and save the logfile button.
Copy/paste the contents of the log in your next reply.
Thanks.
|
|
trishajoy
Junior Member
|
31. March 2007 @ 18:18 |
Link to this message
|
Here it is....
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Trisha\Local Settings\Temporary Internet Files\Content.IE5\K5EHQZ2F\HijackThis[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FormAutoFill] C:\Program Files\FormAutoFill\faf.exe
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://echat.qwest.supportsoft.com/sdcco...ad/tgctlins.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {B9940246-4344-4D1B-BD82-DBAF7E657FF9} (AudioClient Control) - http://mtstandard.serveftp.net:19141/SysCamInst.cab
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
|
|
KotaGuy
Member
|
31. March 2007 @ 18:26 |
Link to this message
|
OK... that isn't showing me much.
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Now click the Run Scan button on the toolbar.
[*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
|
|
trishajoy
Junior Member
|
31. March 2007 @ 19:00 |
Link to this message
|
|
It's not responding... I have tried it 3 times.
|
|
KotaGuy
Member
|
31. March 2007 @ 19:25 |
Link to this message
|
|
How long have you let it run for... the scan could take a while to complete depending on how much data it needs to go through.
|
|
trishajoy
Junior Member
|
31. March 2007 @ 19:33 |
Link to this message
|
|
Well, I let it run for awhile and it says that's it's not responding on it's own.
|
|
KotaGuy
Member
|
31. March 2007 @ 20:00 |
Link to this message
|
OK... don't worry about it for now then
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
[*]The program will launch and then begin downloading the latest definition files:
[*]Once the files have been downloaded click on NEXT
[*]Now click on Scan Settings
[*]In the scan settings make that the following are selected:
[*]Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
[*]Scan Options:
Scan Archives Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
[*]Now click on the Save as Text button:
[*]Save the file to your desktop.
Copy/paste the contents of the file in your next reply.
|
|
trishajoy
Junior Member
|
1. April 2007 @ 10:14 |
Link to this message
|
|
Here it is:
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 01, 2007 12:09:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/04/2007
Kaspersky Anti-Virus database records: 289733
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 22765
Number of viruses found: 16
Number of infected objects: 24 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:00:24
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Trisha\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\Temp\IH391.tmp Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Documents and Settings\Trisha\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Trisha\ntuser.dat Object is locked skipped
C:\Documents and Settings\Trisha\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eset\cache\CACHE.NDB Object is locked skipped
C:\Program Files\Eset\cache\FND0.NFI Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Eset\cache\FND1.NFI Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Eset\cache\FND2.NFI Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Program Files\Eset\cache\FND4.NFI Infected: Trojan.Win32.Pakes skipped
C:\Program Files\Eset\cache\FND5.NFI Infected: Trojan-Downloader.Win32.Small.cwj skipped
C:\Program Files\Eset\infected\4SYDRKAA.NQF Infected: Packed.Win32.PePatch.dw skipped
C:\Program Files\Eset\infected\5ZP3VACA.NQF Infected: Trojan-Downloader.Win32.Murlo.ew skipped
C:\Program Files\Eset\infected\DLFXRMAA.NQF Infected: Email-Worm.Win32.Zhelatin.bz skipped
C:\Program Files\Eset\infected\JTDO3YBA.NQF Infected: Trojan-Downloader.Win32.Murlo.eq skipped
C:\Program Files\Eset\infected\SAOFZNCA.NQF Infected: Trojan-Downloader.Win32.Small.cwj skipped
C:\Program Files\Eset\infected\UM34RQCA.NQF Infected: Trojan-Downloader.Win32.Agent.ip skipped
C:\Program Files\Eset\infected\WHZHZSDA.NQF Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Eset\infected\X3EA4PBA.NQF Infected: P2P-Worm.Win32.VB.dw skipped
C:\Program Files\Eset\infected\XIVO4TDA.NQF Infected: not-a-virus:AdWare.Win32.180Solutions.as skipped
C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\install[1].exe Infected: Trojan-Clicker.Win32.Costrat.aj skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\out[1].exe Infected: Trojan.Win32.Agent.aie skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NY69X70U\mb3[1].exe Infected: Backdoor.Win32.Small.oa skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NY69X70U\one-1036-5[1].exe Infected: Trojan-Proxy.Win32.Agent.mh skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TNVAGG17\CA7LBHA1.htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TNVAGG17\CAIVOLUZ.htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TNVAGG17\CAKXYZ4P.htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TNVAGG17\CAS5IROL.htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TNVAGG17\CAUVM7CD.htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TNVAGG17\CAW36VQN.htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WDDESD7Q\install[1].exe Infected: Trojan-Clicker.Win32.Costrat.aj skipped
C:\WINDOWS\SYSTEM32\setldr.dll Object is locked skipped
C:\WINDOWS\SYSTEM32\Vnt9.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\WINDOWS\SYSTEM32\winctl.exe Infected: Trojan.Win32.Agent.aie skipped
C:\WINDOWS\TEMP\283.tmp Infected: Trojan-Clicker.Win32.Costrat.aj skipped
C:\WINDOWS\TEMP\E64.tmp Infected: Backdoor.Win32.Small.oa skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
|
|
KotaGuy
Member
|
1. April 2007 @ 11:14 |
Link to this message
|
I will be giving you a bit to do here... so go through the steps slowly and accurately please.
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Don't run it yet.
Download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
[*]Install AVG Anti-Spyware by double clicking the installer.
[*]Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
[*]On the main screen under Your Computer's security.
[*]Click on Change state next to Resident shield. It should now change to inactive.
[*]Click on Change state next to Automatic updates. It should now change to inactive.
[*]Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
[*]Wait until you see the Update succesfull message.
[*]Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
[*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Don't scan with it yet.
Download Gmer and unzip it to your Desktop. Don't scan with it yet.
Download FindAWF and save it to your Desktop. Don't scan with it yet.
Print the rest of these instructions out for reference as you will be booting into Safe Mode and will be unable to access this site.
Reboot your computer in Safe Mode.
[*]If the computer is running, shut down Windows, and then turn off the power.
[*]Wait 30 seconds, and then turn the computer on.
[*]Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
[*]Ensure that the Safe Mode option is selected.
[*]Press Enter. The computer then begins to start in Safe mode.
[*]Login on your usual account.
Enable the viewing of Hidden files follow these steps:
[*]Close all programs so that you are at your desktop.
[*]Double-click on the My Computer icon (or click Start, then select My Computer)
[*]Select the Tools menu and click Folder Options.
[*]After the new window appears select the View tab.
[*]Put a checkmark in the checkbox labeled Display the contents of system folders.
[*]Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
[*]Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
[*]Remove the checkmark from the checkbox labeled Hide protected operating system files.
[*]Press the Apply button and then the OK button and shutdown My Computer.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
[*]Click on Scanner on the toolbar.
[*]Click on the Settings tab.
[*]Under How to act?
[*]Click on Recommended Action and choose Quarantine from the popup menu.
[*]Under How to scan?
[*]All checkboxes should be ticked.
[*]Under Possibly unwanted software:
[*]All checkboxes should be ticked.
[*]Under Reports:
[*]Select Automatically generate report after every scan and uncheck Only if threats were found.
[*]Under What to scan?
[*]Select Scan every file.
[*]Click on the Scan tab.
[*]Click on Complete System Scan to start the scan process.
[*]Let the program scan the machine.
[*]When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
[*]Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
[*]At the bottom of the window click on the Apply all Actions button. (3)
[*]When done, click the Save Scan Report button. (4)
[*]Click the Save Report as button.
[*]Save the report to your Desktop.
[*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot Windows normally.
Double click FindAWF.exe to run it. It will produce a logfile... save it to your Desktop.
And finally... disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.
Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.
Once done post the AVG log, the FindAWF log and the Gmer logs in your next reply.
Thanks
|
|
trishajoy
Junior Member
|
1. April 2007 @ 13:01 |
Link to this message
|
|
Well, I went and got all the stuff ready to run as you instructed, but when I go to reboot in safe mode, that stupid "Dcom server process launcher service terminated unexpectedly " comes up and counts down to close my comp off. So now what??
|
|
trishajoy
Junior Member
|
1. April 2007 @ 13:04 |
Link to this message
|
|
I meant that it counts down to shut off my comp.
|
|
KotaGuy
Member
|
1. April 2007 @ 15:26 |
Link to this message
|
|
OK... do the scans while Windows is booted normally then.
This message has been edited since posting. Last time this message was edited on 1. April 2007 @ 15:26
|
|
trishajoy
Junior Member
|
1. April 2007 @ 15:30 |
Link to this message
|
|
Should I still uncheck the hidden files and such... just follow it all the way through as you typed up above?
|
|
KotaGuy
Member
|
1. April 2007 @ 16:06 |
Link to this message
|
|
Yes please... except for the booting to Safe Mode part ;)
|
|
trishajoy
Junior Member
|
1. April 2007 @ 17:32 |
Link to this message
|
|
Ok, I've done everything up until the running of the gmer.exe. I tried that, but it shut off my comp. I had no windows up and I disconnected from the internet... it still shut me down.
|
|
KotaGuy
Member
|
1. April 2007 @ 18:24 |
Link to this message
|
OK... can you post the AVG and FindAWF logs. Along with a new HijackThis log please.
|
|
trishajoy
Junior Member
|
1. April 2007 @ 18:41 |
Link to this message
|
The Hijack log I had posted before? Ok, if so here it is: Logfile of HijackThis v1.99.1
Scan saved at 9:17:19 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Trisha\Local Settings\Temporary Internet Files\Content.IE5\K5EHQZ2F\HijackThis[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FormAutoFill] C:\Program Files\FormAutoFill\faf.exe
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://echat.qwest.supportsoft.com/sdcco...ad/tgctlins.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {B9940246-4344-4D1B-BD82-DBAF7E657FF9} (AudioClient Control) - http://mtstandard.serveftp.net:19141/SysCamInst.cab
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
_____________________________________________________________________
Here is the AVG log:
------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:16:17 PM 4/1/2007
+ Scan result:
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NY69X70U\mb3[1].exe -> Backdoor.Small.oa : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\install[1].exe -> Hijacker.Costrat.aj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WDDESD7Q\install[1].exe -> Hijacker.Costrat.aj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NY69X70U\one-1036-5[1].exe -> Proxy.Agent.mh : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\Vnt9.sys -> Rootkit.Agent.ea : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\out[1].exe -> Trojan.Agent.aie : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\winctl.exe -> Trojan.Agent.aie : Cleaned with backup (quarantined).
F:\Program Files\nods\NOD32.exe -> Trojan.Crack.h : Cleaned with backup (quarantined).
::Report end
_____________________________________________________________________
Now here is the FindAWF log
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
|
|
KotaGuy
Member
|
1. April 2007 @ 18:59 |
Link to this message
|
Did you run ATFCleaner before the scans as instructed?
And I wanted a new HijackThis log... not the same one you posted before.
Also... are you using a cracked version of NOD32?
F:\Program Files\nods\NOD32.exe -> Trojan.Crack.h : Cleaned with backup (quarantined)
This message has been edited since posting. Last time this message was edited on 1. April 2007 @ 19:01
|
|
trishajoy
Junior Member
|
1. April 2007 @ 19:20 |
Link to this message
|
Yes, I ran the ATF cleaner. Yes, it's a cracked version. Here is the new Hijack report:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:18:36 PM, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Trisha\Local Settings\Temporary Internet Files\Content.IE5\W3YHARSX\HiJackThis_v2.0.0.0[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FormAutoFill] C:\Program Files\FormAutoFill\faf.exe
O4 - HKUS\S-1-5-21-2052111302-1935655697-1343024091-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2052111302-1935655697-1343024091-1004\..\Run: [FormAutoFill] C:\Program Files\FormAutoFill\faf.exe (User '?')
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://echat.qwest.supportsoft.com/sdcco...ad/tgctlins.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {B9940246-4344-4D1B-BD82-DBAF7E657FF9} (AudioClient Control) - http://mtstandard.serveftp.net:19141/SysCamInst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
--
End of file - 5451 bytes
|
|
KotaGuy
Member
|
1. April 2007 @ 19:33 |
Link to this message
|
Uninstall the cracked version of NOD32.
Reboot.
Install a free AntiVirus program... I suggest AVG Free.
Post a new HijackThis log when done.
|
|
trishajoy
Junior Member
|
1. April 2007 @ 19:37 |
Link to this message
|
|
ok, I will do that.
|
|
trishajoy
Junior Member
|
1. April 2007 @ 19:46 |
Link to this message
|
Is this AVG different than the one you had me download before? I am sorry to have to ask, but I am pretty comp. stupid. :/
|
|
KotaGuy
Member
|
1. April 2007 @ 19:50 |
Link to this message
|
Yes... AVG Free is an AntiVirus program.
The other one I had you download is their AntiSpyware program.
Once you've got the AntiVirus Program installed... make sure it updated to the newest definition files and do a full System scan with it and let it fix whatever it finds.
Post a new HijackThis log when done.
|
|
Advertisement
|
|
|
|
trishajoy
Junior Member
|
1. April 2007 @ 20:05 |
Link to this message
|
|
Trying to download it now. I keep having a bit of trouble with that error message that shuts me down. Is there anyway to stop that?
|
