1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any help is gladly accepted

Discussion in 'Windows - Virus and spyware problems' started by darkriku7, Jun 23, 2006.

  1. darkriku7

    darkriku7 Member

    Joined:
    Jun 23, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    I'm getting frequent notifications from unknown sources that my computer has problems.

    my HJT log reads:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:30:22 AM, on 6/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\atmclk.exe
    C:\WINDOWS\system32\dcomcfg.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\WINDOWS\system32\767f9a23.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\SSTEM~1\winspool.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Chad\Desktop\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {5102256E-CAA6-9853-A562-941C84EBE4C5} - C:\WINDOWS\system32\ukgo.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5102256E-CAA6-9853-A562-941C84EBE4C5} - C:\WINDOWS\system32\ukgo.dll
    O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {B97D16D6-517F-4053-B382-03C0F4C4FFDE} - C:\WINDOWS\system32\mljjk.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [767f9a23.exe] C:\WINDOWS\system32\767f9a23.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Nbnyqy] C:\WINDOWS\SSTEM~1\winspool.exe
    O4 - HKCU\..\Run: [767f9a23.exe] C:\Documents and Settings\Chad\Local Settings\Application Data\767f9a23.exe
    O4 - Startup: .protected
    O4 - Global Startup: .protected
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150255787375
    O20 - AppInit_DLLs: C:\WINDOWS\system32\spoolsv.dll
    O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
     
  2. Xeres

    Xeres Member

    Joined:
    Apr 27, 2003
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    16
    Hi Darkriku7:
    I responded in the other message,guess you didn't get. Lets get you fixed.

    Please download to your desktop Smitfraudfix from: http://siri.urz.free.fr/Fix/SmitfraudFix.zip . Unzip and install.
    Run athe program and select option one. It will save a file named Rapport.tx on the C: Rapport.tx

    Please download ewido anti malware it is a free version of the program -> http://www.ewido.net/en/download/

    1. Install ewido security suite
    2. When installing, under "Additional Options" uncheck..
    * Install background guard
    * Install scan via context menu
    3. Launch ewido, there should be an icon on your desktop, double-click it.
    4. The program will now open to the main screen.
    5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    6. You will need to update ewido to the latest definition files.
    * On the left hand side of the main screen click update.
    * Then click on Start Update.
    7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")

    If you are having problems with the updater, you can use this link to manually update ewido.
    ewido manual updates -> http://www.ewido.net/en/download/updates/

    Once the updates are installed do the following:

    Reboot your computer in SafeMode by doing the following:

    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.

    Launch ewido:

    * Click on scanner
    * Click on Complete System Scan and the scan will begin.
    * You will be prompted to clean the first infection.
    * Select "Perform action on all infections", then proceed.
    * Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    * Click Save report.
    * Save the report .txt file to your desktop or a location where you can find it easily.

    While still in safe mode do a search for C:\WINDOWS\system32\767f9a23.exe . If found delet

    Boot to normal mode

    Run A HJT sacn only and place a check mark by each of the following:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - {5102256E-CAA6-9853-A562-941C84EBE4C5} - C:\WINDOWS\system32\ukgo.dll
    O2 - BHO: (no name) - {5102256E-CAA6-9853-A562-941C84EBE4C5} - C:\WINDOWS\system32\ukgo.dll
    O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: (no name) - {B97D16D6-517F-4053-B382-03C0F4C4FFDE} - C:\WINDOWS\system32\mljjk.dll (file missing)
    O4 - HKLM\..\Run: [767f9a23.exe] C:\WINDOWS\system32\767f9a23.exe
    O4 - Startup: .protected
    O4 - HKCU\..\Run: [767f9a23.exe] C:\Documents and Settings\Chad\Local Settings\Application Data\767f9a23.exe
    O4 - Global Startup: .protected
    O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll (file missing)
    O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)

    Post back here with Ewido log. Rapport.txt log and HJT log

    Xeres
     

Share This Page