Hi guys, my firefox is acting up pretty weird. Most of the time it won't allow me to search anything on google or yahoo, but will load bookmarked pages. It's also running a lot slower than usual, so for now I'm using safari. I'm pretty sure it's not an internet connection problem or fault of Mozilla (I'm using firefox 3), as it runs fine on my other computer. I've tried ad-aware and avg antivirus, but the problem persists. Right now I'm running Kaspersky scan and will post the log when it's done. I also ran hijackthis and the log is below. Any help would be greatly appreciated, thank you. Hijackthis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:49:27 PM, on 6/29/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Razer\razerhid.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Razer\razertra.exe C:\Program Files\Razer\razerofa.exe C:\Program Files\Safari\Safari.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll O2 - BHO: (no name) - {AA1C0F09-ABAF-4D7D-A35B-8B235C644455} - C:\WINDOWS\system32\geBsSmLD.dll (file missing) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll O2 - BHO: (no name) - {F30B1B0B-C305-414E-A4FF-AC93A08DE0AC} - C:\WINDOWS\system32\urqOeFwW.dll (file missing) O2 - BHO: {02a56009-bd35-5e5a-36a4-fa82cc8ec15f} - {f51ce8cc-28af-4a63-a5e5-53db90065a20} - C:\WINDOWS\system32\mfquldsd.dll O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [BM2835007b] Rundll32.exe "C:\WINDOWS\system32\enxmrjqy.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe O9 - Extra 'Tools' menuitem: ???ˉ??à×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O15 - ESC Trusted Zone: http://*.update.microsoft.com O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156017601609 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161620261984 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL O20 - AppInit_DLLs: wbsys.dll,C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL O20 - Winlogon Notify: urqOeFwW - urqOeFwW.dll (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 6497 bytes
Here's the Kaspersky scan log. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, June 29, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, June 29, 2008 16:47:22 Records in database: 897224 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Files scanned: 177658 Threat name: 7 Infected objects: 20 Suspicious objects: 0 Duration of the scan: 05:26:03 File name / Threat name / Threats count C:\WINDOWS\system32\enxmrjqy.dll/C:\WINDOWS\system32\enxmrjqy.dll Infected: Trojan.Win32.Monder.zf 10 C:\WINDOWS\system32\mfquldsd.dll/C:\WINDOWS\system32\mfquldsd.dll Infected: Trojan.Win32.Monderc.gen 2 C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-2a6e65ef Infected: Exploit.Java.Gimsh.b 1 C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-16824083 Infected: Exploit.Java.Gimsh.b 1 C:\Documents and Settings\HP_Administrator\My Documents\Bill's Documents\Stuff\Stuff\Applications\spysweeper507.exe Infected: Backdoor.Win32.Delf.jgi 1 C:\WINDOWS\system32\enxmrjqy.dll Infected: Trojan.Win32.Monder.zf 1 C:\WINDOWS\system32\hkrgwkuh.dll Infected: Trojan.Win32.Monder.zh 1 C:\WINDOWS\system32\hsdnbodc.dll Infected: Trojan.Win32.Monder.zj 1 C:\WINDOWS\system32\iffptlci.dll Infected: Trojan.Win32.Monder.zk 1 C:\WINDOWS\system32\mfquldsd.dll Infected: Trojan.Win32.Monderc.gen 1 The selected area was scanned.
Don't rely on security software to protect you, the only way to protect yourself from viruses/spyware is to not do stupid stuff on the internet (ie. porn, p2p, click links in email etc) it is a good idea to have an AV or antispyware program to scan your system to see if you have any infections but in all honesty once this stuff is on your system it is next to impossible to remove. Some viruses and spyware have gotten so nasty lately that they attach themself to system files to when your AV or Antispyware program tries to remove them you end up with an unbootable system so my advice is. 1. Don't do dumb stuff on the internet that can get you viruses and spyware 2. Apply windows updates as soon as they are released 3. Have an antivirus stay away from norton or mcafee, i like Nod32, and AVG's Free antivirus, only use 1 though 4. Antispyware Windows Defender, Spybot, Adaware, and HJT 5. Firewall - Turn on the Windows Firewall, if you don't all ready get a router this is the best form of firewall because it is hardware and can not be turned off by viruses like software firewalls can 6. Run as a limited user day to day 7. Use 1E7 or Firefox don't use IE6 or lower If you follow these rules you won't ever get a virus or anything. I'm sorry to say this but the only way to be sure your system isn't compromised anymore is to format your drive and reinstall windows make sure to backup your data first.
Tucker, thanks for the advice on how to protect my pc in the future. But since I've already done something stupid, is there a way to fix it without reformatting my hard drive? Thanks.
Your log doesn't look great. The reason your antispyware and antivirus software can't remove them is likely because they are dug deep in your system and attached to system files, and it can't remove them because it would cause your machine to not boot. You could stay on the forum and there'll be some people on here who will try and help you remove this by hand but honestly I can guarantee they won't get rid of all of it and if they dont get rid of all of it it is all just going to come back. So my advice would be to backup all your data to cds/dvds, external hdd and etc and reinstall Windows then make sure to get all the security updates, and SP3, and the rest of the stuff that I had posted for you, also one more thing it only takes a few hours to reinstall everything, it can take days, or weeks trying to disinfect a computer by hand.
Here are some steps to get you back on track. Try step 4 first. “Disable System Restore” on all drives. http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm 2. Backup any sensitive data to an external drive, cd, dvd, separate partition or flash drive etc. 3. Download CCleaner and save the file to your desktop. http://download.piriform.com/ccsetup209.exe a. Double click the install file b. Select the language and click OK c. Click next d. Click “I Agree” e. Click Next f. Untick the bottom checkbox and click install g. Click Finish h. You can delete the install file now or save it for future installations i. Open CCleaner from the desktop shortcut j. Click on the “Applications” tab and make sure all are ticked k. Click on “Analyze” at bottom l. Once finished scan click on run cleaner, bottom right m. Click on thr “Registry” button on the left panel n. Select “Scan for Issues” o. Click “Fix selected Issues” When asked to make a backup click YES and save the file somewhere safe p. Click on “Fix All Selected Issues” q. Click OK, Click close r. Repeat steps from letter “K” to “Q” s. Close the program. 4. Download all three files to a folder on your desktop. Extract both zip files to the same folder. double click the sysclean file and follow the prompt. Click on the advanced button underneath for more options prior to scanning. SystemClean http://www.trendmicro.com/ftp/products/tsc/sysclean.com Virus Patten File http://www.trendmicro.com/ftp/products/pattern/lpt383.zip Malware Patten File http://www.trendmicro.com/ftp/products/pattern/spyware/ssapi/ssapiptn663.zip 5. Download CWShredder and scan your system for “CoolWebSearch” malware. http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe While trying all these different programs make sure you limit Real-time Anti-Virus programs to one per system at any time. If you decide to try a different anti-virus make sure to uninstall the current one. Try and use the same rule for Anti-Spyware programs with real-time functuality aswell. Otherwise you will compromise your system resources. After completing steps, restart your system and use CCleaner again once restarted. Then carry on to next task. 6. Download Trial version of Nod32 Anti-Virus 3.0 for Windows XP/2000/Vista (32-bit) http://download1.eset.com/eval/win/eav/eav_nt32_enu.msi for Windows XP/2000/Vista (64-bit ONLY) http://download1.eset.com/eval/win/eav/eav_nt64_enu.msi Installation mode: Typical Enable threatsense early warning system Enable Detection of potentially unwanted applications You have now finished the install. Restart the computer and then right click on the Nod32 bottom toolbar icon and select “update”. Now you can scan your pc so again right click on the toolbar icon and select “computer scan”. Select “My Computer” and then select “Scan” at the bottom right. Wait for scan to finish to review results making sure any Bad files are Quarantined. 7. Download and install Counterspy v2 trial version for 15 day fully functional. http://go.sunbelt-software.com/?linkid=410 a. Click Next b. Agree to the license agreement c. Click Next d. Click Next again e. Click Install f. Click Finish – The check box above should be ticked to open the program. g. Click next – Getting Started h. Click next if using demo version i. Click next to enable automatic updates j. Select “YES” and Select “CAUTIOUS” then Next k. Select “YES” then Finish l. Select “Enter Counterspy Now” To update the CounterSpy application and security risk definitions Click Updates on the toolbar or select File - Check for updates... from the menu bar. The Update Services window opens and downloads the available updates. After it is complete, click Close. m. Now you are ready for a full system scan n. Select “System Scan” from the left menu o. Select “Full System” p. Select “Low Risk Programs” q. Select “Cookies” r. Select “Save Options” s. Above Select “Scan Now” Please wait for scan to complete. To be on the safe side “Quarantine All Objects”. Now click on “System Tools” and click “My PC Checkup” and Click “Start”. Click Continue and “OK”. Now go back into “System Tools” and select “PC Explorer”. Here you can check startup programs, ActiveX controls, BHO files, and much more. If unsure how to use leave as is for now. 8. Restart your PC. 9. You can do a scan with CCleaner again. 10. Next you can do a quick Spyware Audit which won’t actually install any program but just check the system for infection to see where we are in the fight against Spyware/Viruses a. Go here and follow the prompts. If you have no internet, skip this step. http://www.webroot.com/services/entaudit/auditbegin.php b. Click on the link and save the file to your “Desktop” c. Run the file and wait for all 5 steps to finish d. View the displayed results. If your system only shows cookies then you’re OK. If your system has any other one of three groups then more work needs to be done. 11. Now if you’re using Windows XP let’s make sure you have the latest Service Pack. a. Open CCleaner and in the top Heading is a System Spec List. b. Where is says “MS Windows XP SP 1, 2 or 3. c. If you have anything below SP3 you should download the following file: http://download.windowsupdate.com/m..._c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe d. Save the file to your desktop and then install by following the prompts. e. You will probably need to restart your system after the install. 12. Now we want to check what internet explorer you currently use. The latest is “Internet Explorer 7”. a. Open internet explorer and click on “help” in the top toolbar. b. Click on “About Internet Explorer”. If you have version 6 or below you need to upgrade to version 7. c. Download it here: http://www.microsoft.com/downloads/...BE-3385-447C-8A30-081805B2F90B&displaylang=en d. Click the download button and save the file to your desktop. e. Open the file and follow the prompt. 13. Now we are going to check your firewall security. If you currently run a software firewall other than the windows system firewall then I would suggest uninstalling it and replacing it with a network router which supports NAT (network address translation). If you cannot afford one straight away then leave it installed for the time being. You may already have a router or it maybe built into your Broadband Modem. A router makes your PC merely invisible to the outside world by displaying dummy IP Addresses. a. Go to this website https://www.grc.com/x/ne.dll?bh0bkyd2 b. Please have a short read prior to taking first test. c. Click on “Proceed” d. Click on each test option in the table File Sharing, Common Ports, All Service Ports, Message Spam and Browser Headers. e. Read your results after each test. The tests in Red are the most important. If your results do not come back as stealth and you are using a software firewall then it’s not really working for you. If your results do not come back as stealth and you have a network router then it is not configured correctly or the firmware needs updating. (see your hardware manufacturers website for this) If you have a router and a software firewall other than windows firewall then I would uninstall it and run the tests again. Software firewalls can be a major drag to your system and are too much work to maintain let alone configure. If you are not sure about an application wanting permission to access the outside world then the wrong decision could easily be made causing a security issue or your operating system functioning incorrectly. Watch the attached video: http://youtube.com/watch?v=1rsUefv-nlk If your windows firewall is disabled I would suggest tuning it back on. 14. Carry out a “disk cleanup” on your hard drives at least once per week. 15. Make sure you use “Defragmenter” at least once a month to keep files at a faster access rate. The more you do this the less amount of time is taken. 16. After all this and your system is still compromised/infected, Start your PC in "Safe Mode" http://www.computerhope.com/issues/chsafe.htm a. Do a full system scan with all mentioned software in this article. b. Please note that some programs don’t support safe mode and will not function.
I knew I'd be explaning this one. I didn't mean to steal it, lol. It was just a good point which I've been trying to get across to people for ages. So I linked it to my post. I'm sorry if I offended you. Very good video. I must say.
its okay were all here to help other people, I was a caller on that show back in october i might post my call on youtube
