Jump to content


Photo

frustrated - please help


  • This topic is locked This topic is locked
3 replies to this topic

#1 ihatecws

ihatecws

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 May 2004 - 06:53 PM

help, i've got tons of crap on my logfile i need to get rid of...but worried about trying it myself. Also, a tmp. file ~5151535352.TMP keeps causing an explorer window so message: explorer has caused error in ~5151535352.TMP explorer will now close pops up and messes up cpu. can't search 4 file and delete it 'cause cpu says that file is in use....how do i get rid of it?

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\A.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [bkrdjgvj] C:\WINDOWS\SYSTEM\azovxpag.exe
O4 - HKLM\..\Run: [JAQHXO] C:\WINDOWS\JAQHXO.exe
O4 - HKLM\..\Run: [mbyhutkn] C:\WINDOWS\mbyhutkn.exe
O4 - HKLM\..\Run: [WinProfile] iexpIore.exe
O4 - HKLM\..\Run: [1PK] C:\WINDOWS\TEMP\1PK.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [WinProfile] iexpIore.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7926.3853009259
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downlo...aries/IA/ia.cab

#2 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 21 May 2004 - 12:35 PM

Hello ihatecws,

Let's start with these two things:

Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

Next, download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Reboot the computer.


Next, with all browsers closed, run Hijackthis again and check these items and then on Fix:

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [bkrdjgvj] C:\WINDOWS\SYSTEM\azovxpag.exe
O4 - HKLM\..\Run: [JAQHXO] C:\WINDOWS\JAQHXO.exe
O4 - HKLM\..\Run: [mbyhutkn] C:\WINDOWS\mbyhutkn.exe
O4 - HKLM\..\Run: [WinProfile] iexpIore.exe
O4 - HKLM\..\Run: [1PK] C:\WINDOWS\TEMP\1PK.EXE
O4 - HKLM\..\RunServices: [WinProfile] iexpIore.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downlo...aries/IA/ia.cab

Delete the contents of the "temp" folder and completely delete the cache folders.

Open Internet Explorer. Then click on TOOLS in the top toolbar. Click on "Internet Options..." from the drop-down menu.
A new smaller window will display. Under the "General" tab, in the middle, are 3 buttons.
Click the Delete Cookies button - then a small warning box pops up. Click OK.
Click the Delete Files button - a small warning box pops us. Check the box for "Delete all offline content" and click OK.
Then on the same General tab, click Clear History, then click OK.

Reboot the computer into safe mode

Make sure you can view all hidden files and folders

Find and delete these files/folders::(if you don't find them, that is ok)

C:\WINDOWS\SYSTEM\A.EXE
C:\WINDOWS\SYSTEM\azovxpag.exe
C:\WINDOWS\JAQHXO.exe
C:\WINDOWS\mbyhutkn.exe
C:\WINDOWS\TEMP\1PK.EXE
C:\WINDOWS\SYSTEM\msmc.exe
iexpIore.exe (probably in system folder) watch how you type it in. Notice the capital I

Reboot the computer and post a new HJT log here.

#3 ihatecws

ihatecws

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 21 May 2004 - 05:17 PM

many thanks 4 your help:

Logfile of HijackThis v1.97.7
Scan saved at 6:15:11 PM, on 5/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\TD_0004.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7926.3853009259

#4 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 21 May 2004 - 06:56 PM

Your log looks pretty clean. I suggest going to this link to help keep your computer clean:

How did I get infected

Also, go to Windows Update to make sure you have all critical updates.

Happy surfing! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button