Jump to content


Photo

Computer is acting up!


  • Please log in to reply
5 replies to this topic

#1 meyer

meyer

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 May 2004 - 12:37 AM

Here is my log, I am not sure what is all on this computer. Thanks very much for your help!!!!!

Logfile of HijackThis v1.97.7
Scan saved at 12:39:14 AM, on 5/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\main\LOCALS~1\Temp\~f39a36.tmp
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\main\Desktop\Virus Stuff\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://defaultsearch...com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://defaultsearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 5377608764 greg-search.com
O1 - Hosts: 5377608764 www.greg-search.com
O1 - Hosts: 5377608764 drxcounter.biz
O1 - Hosts: 5377608764 muxa.cc
O1 - Hosts: 5377608764 www.muxa.cc
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [sounddrv] C:\WINDOWS\system32\sndbdrv3104.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7885.9754166667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 meyer

meyer

    Member

  • New Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 02:10 PM

Could someone tell me if I have posted this log in the correct forum. I am not sure where I am supposed to post it. If it is the correct place then I apologize and disregard this message. I know there are a lot of replies to get to. Otherwise, if you could tell me where to post it or move it for me and tell me where it is. Once again sorry if I am where I need to be. Thanks for your help!!!!

#3 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 26 May 2004 - 06:25 PM

You have a couple of difficult infections. We will start with CWShredder... Please download CWShredder from the links in the bottom of my post. Set it up and open it. Close your browsers and choose FIX.

Next please download and run AdAware and Spybot. Install them, update them and run them. Fix all items found by AdAware and the items Checked in RED with Spybot. AdAware may say it couldn't fix one file. Please right down the name and any other info about that file, then let AdAware try to fix it. Reboot between each scan.

Reboot again, run HJT and post a fresh log....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#4 meyer

meyer

    Member

  • New Member
  • Pip
  • 4 posts

Posted 27 May 2004 - 12:37 AM

Alright, I have ran both Sbybot and Adaware and fixed all found problems. There were not any that couldn't be fixed except for sbybot needed to reboot and ran again. Here is my new log and thank you very much for your help!!!!!!!!!!

Logfile of HijackThis v1.97.7
Scan saved at 12:34:30 AM, on 5/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\main\Desktop\Virus Stuff\HJT\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://defaultsearch...com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://defaultsearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 5377608764 greg-search.com
O1 - Hosts: 5377608764 www.greg-search.com
O1 - Hosts: 5377608764 drxcounter.biz
O1 - Hosts: 5377608764 muxa.cc
O1 - Hosts: 5377608764 www.muxa.cc
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7885.9754166667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#5 meyer

meyer

    Member

  • New Member
  • Pip
  • 4 posts

Posted 27 May 2004 - 12:38 AM

Oh, and CWS did not find anything. Thanks

#6 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 27 May 2004 - 06:01 PM

You have some CWS items, but we can try fixing them manually if CWShredder didn't fix them... We may end up having to dig deeper, but we'll try these first.

Before using HJT, it would be a good idea to move it to a permanent folder like C:/HJT (you will have to create one). It will make backups and they will end up all over your Desktop if you keep it where it is....

Close all open windows and browsers, open HJT and mark/fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://defaultsearch...com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://defaultsearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 5377608764 greg-search.com
O1 - Hosts: 5377608764 www.greg-search.com
O1 - Hosts: 5377608764 drxcounter.biz
O1 - Hosts: 5377608764 muxa.cc
O1 - Hosts: 5377608764 www.muxa.cc
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

Then reboot into Safe Mode and find/remove this folder (in bold). It will actually say more than it says here, it is shortened by HJT, but it should be the only folder that begins this way:

C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe

Then reboot and update your WinXP to SP1 with critical updates to patch vulnerabilities to a whole bunch of worms and viruses... Reboot again, run HJT and post a fresh log here....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button