Jump to content


Photo

PLEASE HELP!! - Log File


  • Please log in to reply
13 replies to this topic

#1 chrisborgia

chrisborgia

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 07 July 2004 - 03:43 PM

Thank you!

Logfile of HijackThis v1.97.7
Scan saved at 12:00:39 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Dell\EUSW\Support.exe
C:\PROGRA~1\Real\REALPL~1\RealPlay.exe
C:\PROGRA~1\QUICKT~1\qttask.exe
C:\DOCUME~1\CHRISB~1\LOCALS~1\temp\1TWF6R~1.EXE
C:\PROGRA~1\DIGSTR~1\DIGSTR~1.EXE
C:\DOCUME~1\CHRISB~1\LOCALS~1\temp\1TWF6R~1.EXE
C:\WINDOWS\System32\kdlfrm.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\DOCUME~1\CHRISB~1\APPLIC~1\ttuh.exe
C:\PROGRA~1\MPROCE~1\MPROCE~1.EXE
C:\WINDOWS\System32\wkkwt.exe
C:\PROGRA~1\BHODEM~1.0\BHODemon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\amnenk.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Borgia\My Documents\Chris\hjtlog.exe
c:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {30F04009-E232-0AC4-8751-6D550BA02F19} - C:\WINDOWS\SYSTEM32\bkv.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (disabled by BHODemon)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [1TWf6rqJM] C:\documents and settings\chris borgia\local settings\temp\1TWf6rqJM.exe
O4 - HKLM\..\Run: [1TWF6R~1] C:\DOCUME~1\CHRISB~1\LOCALS~1\temp\1TWF6R~1.EXE
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Jufta7y.exe
O4 - HKLM\..\Run: [fehajievvd] C:\WINDOWS\System32\kdlfrm.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [xsFO34S] bsekui.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [gBwERQenQ] CAMBCO~1.EXE
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Chris Borgia\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Axnsh] C:\WINDOWS\System32\wkkwt.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.skoobidoo.com

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 03:44 PM

Please wait while i work on your log :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 03:46 PM

First download Ad-Aware 6.0. Install it. Run it and update by hitting the globe in the top right hand corner and then connect. When it sais found new reference file hit ok. Then hit finished.

Secondly hit next and right after than scan. The program should scan for files. Once it is done hit next. Check the boxes fir removal next to all the items in Ad-Aware. Then hit next to start removal. Restart your computer.


Post a new Hijack This log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#4 chrisborgia

chrisborgia

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 07 July 2004 - 04:00 PM

I had run Ad-Aware just before running Hijack this, but I will try it again and repost. Thanks!

#5 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 04:02 PM

I saw that you had Ad-Aware but i always post directions on how to download etc... Dont think im a wacko :p

Yes run Ad-Aware one more time as im sure it should remove ClockSync and a lot more from your log.

Then download Peper Fix. Run it and then restart your computer. Post a new Hijack This log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#6 chrisborgia

chrisborgia

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 07 July 2004 - 04:28 PM

Ducky- Ran the ad-aware again, rebooted, then ran the Peper fix and it detected no files. Here's a new Hijack This log:

THANK YOU!

Logfile of HijackThis v1.97.7
Scan saved at 2:23:16 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\QUICKT~1\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\DIGStream\digstream.exe
C:\documents and settings\chris borgia\local settings\temp\1TWf6rqJM.exe
C:\DOCUME~1\CHRISB~1\LOCALS~1\temp\1TWF6R~1.EXE
C:\WINDOWS\System32\kdlfrm.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\Documents and Settings\Chris Borgia\Application Data\ttuh.exe
C:\WINDOWS\System32\wkkwt.exe
C:\Program Files\BHODemon 2.0\BHODemon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\amnenk.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\amnenk.exe
C:\DOCUME~1\CHRISB~1\MYDOCU~1\Chris\hjtlog.exe
C:\Program Files\Internet Explorer\Iexplore.exe
c:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {30F04009-E232-0AC4-8751-6D550BA02F19} - C:\WINDOWS\SYSTEM32\bkv.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EFCD11A9-0F63-4FF5-B894-A9E7FA0442A0} - C:\WINDOWS\System32\fcakbaa.dll (file missing)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [1TWf6rqJM] C:\documents and settings\chris borgia\local settings\temp\1TWf6rqJM.exe
O4 - HKLM\..\Run: [1TWF6R~1] C:\DOCUME~1\CHRISB~1\LOCALS~1\temp\1TWF6R~1.EXE
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Jufta7y.exe
O4 - HKLM\..\Run: [fehajievvd] C:\WINDOWS\System32\kdlfrm.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [xsFO34S] bsekui.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [gBwERQenQ] CAMBCO~1.EXE
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Chris Borgia\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Axnsh] C:\WINDOWS\System32\wkkwt.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab

#7 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 04:32 PM

Very interesting...

Ok please wait this will take me 5 minutes to type up.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#8 chrisborgia

chrisborgia

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 07 July 2004 - 04:33 PM

Man, this doesnt sound good...

Thanks!

#9 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 04:40 PM

Start Hijack This and tick the boxes next to these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {30F04009-E232-0AC4-8751-6D550BA02F19} - C:\WINDOWS\SYSTEM32\bkv.dll (disabled by BHODemon)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (disabled by BHODemon)
O2 - BHO: (no name) - {EFCD11A9-0F63-4FF5-B894-A9E7FA0442A0} - C:\WINDOWS\System32\fcakbaa.dll (file missing)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [1TWf6rqJM] C:\documents and settings\chris borgia\local settings\temp\1TWf6rqJM.exe
O4 - HKLM\..\Run: [1TWF6R~1] C:\DOCUME~1\CHRISB~1\LOCALS~1\temp\1TWF6R~1.EXE
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Jufta7y.exe
O4 - HKLM\..\Run: [fehajievvd] C:\WINDOWS\System32\kdlfrm.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [gBwERQenQ] CAMBCO~1.EXE
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Chris Borgia\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Axnsh] C:\WINDOWS\System32\wkkwt.exe

and these unless you added them

O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.skoobidoo.com


Then close all windows and hit fix checked. Restart and delete.

C:\WINDOWS\System32\Jufta7y.exe <- File
C:\WINDOWS\System32\kdlfrm.exe <- File
C:\WINDOWS\System32\wkkwt.exe <- File
C:\Program Files\ClockSync <- Folder
C:\Program Files\Common Files\midaddle <- Folder
C:\Documents and Settings\Chris Borgia\Application Data\ttuh.exe <- File

Then goto Start, Run, and type in %temp%. A folder should open. Try deleteing everything in that folder If something cannot be deleted its ok. Now restart once more and post a new Hijack This log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#10 chrisborgia

chrisborgia

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 07 July 2004 - 04:42 PM

Thanks. Ill try all that and post back when im done.

THANKS!

#11 chrisborgia

chrisborgia

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 07 July 2004 - 05:25 PM

I wasnt able to delete this:
C:\WINDOWS\System32\kdlfrm.exe <- File

Couldnt find these:

C:\WINDOWS\System32\Jufta7y.exe <- File
C:\Program Files\ClockSync <- Folder
C:\Program Files\Common Files\midaddle <- Folder


Everything else seemed to go okay. Here is the new Hijack log:

Thanks!!

Logfile of HijackThis v1.97.7
Scan saved at 3:21:33 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\Dell\EUSW\Support.exe
C:\PROGRA~1\QUICKT~1\qttask.exe
C:\PROGRA~1\Real\REALPL~1\RealPlay.exe
C:\PROGRA~1\DIGSTR~1\DIGSTR~1.EXE
C:\WINDOWS\System32\kdlfrm.exe
C:\PROGRA~1\MPROCE~1\MPROCE~1.EXE
C:\PROGRA~1\BHODEM~1.0\BHODemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\amnenk.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\amnenk.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\DOCUME~1\CHRISB~1\MYDOCU~1\Chris\hjtlog.exe
c:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {30F04009-E232-0AC4-8751-6D550BA02F19} - C:\WINDOWS\SYSTEM32\bkv.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [xsFO34S] bsekui.exe
O4 - HKLM\..\Run: [kvfptbggnch] C:\WINDOWS\System32\kdlfrm.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab

#12 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 05:38 PM

Ok open up Hijack This one more time.
Tick the boxes next to these items

O4 - HKLM\..\Run: [xsFO34S] bsekui.exe
O4 - HKLM\..\Run: [kvfptbggnch] C:\WINDOWS\System32\kdlfrm.exe


Then close all windows and hit fix checked. Restart into safe-mode.

Delete C:\WINDOWS\System32\kdlfrm.exe and search for bsekui.exe and also delete it.

Then restart into normal mode and post a follow up log.
Booting into safe-mode To boot into safe-mode continuously tap F8 when the computer is first booting up.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#13 chrisborgia

chrisborgia

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 07 July 2004 - 06:26 PM

I searched but couldnt find bsekui.exe.

Here is the lastest logfile. Thanks so much for your help. This will be my last post today, I have to leave for work. Ill post again tomorrow. THANKS!

Logfile of HijackThis v1.97.7
Scan saved at 4:23:10 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\Dell\EUSW\Support.exe
C:\PROGRA~1\QUICKT~1\qttask.exe
C:\PROGRA~1\DIGSTR~1\DIGSTR~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Real\REALPL~1\RealPlay.exe
C:\PROGRA~1\MPROCE~1\MPROCE~1.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\BHODEM~1.0\BHODemon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\amnenk.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\amnenk.exe
C:\DOCUME~1\CHRISB~1\MYDOCU~1\Chris\hjtlog.exe
C:\Program Files\Internet Explorer\Iexplore.exe
c:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {30F04009-E232-0AC4-8751-6D550BA02F19} - C:\WINDOWS\SYSTEM32\bkv.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab

#14 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 06:28 PM

Hey you shouldnt need to post again. It looks great! If any problems persist please post a new Hijack This log.


Edit: I just received news. MProcessor is bad. If you dont use it and it was installed without consent remove it from your computer via Add/Remove programs.

Edited by RubbeR DuckY, 07 July 2004 - 06:35 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button