Please Help - Hijack This Log

View previous topic View next topic Go down

Please Help - Hijack This Log

Post by katkittypro on 31st March 2010, 6:22 pm

So, my dad's computer has a virus or something called "User Protection" that looks like an anti-virus protection program and now his computer is completely useless. Every time we try to open something, the "Open With" option box pops up and even if you choose the correct program to open it with (i.e. double clicking Internet Explorer then clicking Internet Explorer from the Open With options) it will open something completely different (for Internet Explorer, it opened some file folder that didn't look like it had anything to do with Internet Explorer).

I've searched the forum for a solution to our problem. On my laptop, I downloaded and saved onto a flash drive; Malwarebytes' Anti-Malware (mbam-setup.exe) and HijackThis. In safe mode on my dad’s computer, I installed Malwarebytes' Anti-Malware which seemed to go fine. When I tried to open or run it, I got a pop-up error message that the "mbam-setup.exe" file couldn't be found and when I tried to search for it, I couldn't find it either. So, I then ran the HijachThis program and surprisingly I was able to run it and view and save the log. I am at the end of the road and don't know what else to do. The following is the HijackThis log and hopefully someone can review it and help my dad and I get his computer back to working.
Thank You,
Tracy

HijackThis Log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:47 AM, on 3/31/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe
G:\Spyware Removal Programs 03-31-10\Hijack This (From Geek Police).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapp.tfo beforegreen
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.com
O1 - Hosts: 67.215.240.115 google.com.au
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.be
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.com.br
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.ca
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.ch
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.de
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.dk
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.fr
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.ie
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.it
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.co.jp
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.nl
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.no
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.co.nz
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.pl
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.se
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.co.uk
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.co.za
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 search.yahoo.com
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 uk.search.yahoo.com
O1 - Hosts: 67.215.240.115 ca.search.yahoo.com
O1 - Hosts: 67.215.240.115 de.search.yahoo.com
O1 - Hosts: 67.215.240.115 fr.search.yahoo.com
O1 - Hosts: 67.215.240.115 au.search.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\imoal9.dll - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\imoal9.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [yafofohot] Rundll32.exe "c:\windows\system32\wuduluto.dll",a
O4 - HKLM\..\Run: [wiroyofeye] Rundll32.exe "rorivano.dll",s
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [wiroyofeye] Rundll32.exe "bekoduya.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [YVIBBBHA8C] C:\WINDOWS\TEMP\Zpr.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [YVIBBBHA8C] C:\WINDOWS\TEMP\Zpr.exe (User 'Default user')
O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F144ED-7EDC-4E85-B741-B6CC26F3916F}: NameServer = 217.23.14.75,4.2.2.1,192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.145,93.188.161.128
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.145,93.188.161.128
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.145,93.188.161.128
O20 - AppInit_DLLs: c:\windows\system32\wuduluto.dll,gemewoda.dll
O20 - Winlogon Notify: cbXNFutq - cbXNFutq.dll (file missing)
O21 - SSODL: yuzegeruk - {8e3cf70a-b5db-48f3-93f9-15c3f869d9cd} - c:\windows\system32\wuduluto.dll
O22 - SharedTaskScheduler: jsg9dgjisdogje94guiofjgd - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\imoal9.dll
O22 - SharedTaskScheduler: kupuhivus - {8e3cf70a-b5db-48f3-93f9-15c3f869d9cd} - c:\windows\system32\wuduluto.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8773 bytes

katkittypro
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-03-31
OS OS : Windows 7
Points Points : 24518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please Help - Hijack This Log

Post by Belahzur on 31st March 2010, 10:24 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapp.tfo beforegreen
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: C:\WINDOWS\system32\imoal9.dll - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\imoal9.dll
    O4 - HKLM\..\Run: [yafofohot] Rundll32.exe "c:\windows\system32\wuduluto.dll",a
    O4 - HKLM\..\Run: [wiroyofeye] Rundll32.exe "rorivano.dll",s
    O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
    O4 - HKUS\S-1-5-20\..\Run: [wiroyofeye] Rundll32.exe "bekoduya.dll",s (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [YVIBBBHA8C] C:\WINDOWS\TEMP\Zpr.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [YVIBBBHA8C] C:\WINDOWS\TEMP\Zpr.exe (User 'Default user')
    O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
    O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
    O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F144ED-7EDC-4E85-B741-B6CC26F3916F}: NameServer = 217.23.14.75,4.2.2.1,192.168.1.254
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.145,93.188.161.128
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.145,93.188.161.128
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.145,93.188.161.128
    O20 - AppInit_DLLs: c:\windows\system32\wuduluto.dll,gemewoda.dll
    O20 - Winlogon Notify: cbXNFutq - cbXNFutq.dll (file missing)
    O21 - SSODL: yuzegeruk - {8e3cf70a-b5db-48f3-93f9-15c3f869d9cd} - c:\windows\system32\wuduluto.dll
    O22 - SharedTaskScheduler: jsg9dgjisdogje94guiofjgd - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\imoal9.dll
    O22 - SharedTaskScheduler: kupuhivus - {8e3cf70a-b5db-48f3-93f9-15c3f869d9cd} - c:\windows\system32\wuduluto.dll
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Didn't Help

Post by katkittypro on 1st April 2010, 9:05 pm

First of all, thank you for your previous response and any possible future ones.
I followed your instructions but unfortunately I wasn't able to do anything with Malwarebytes' Anti-Malware.
The following are the steps I took and the results of them. I also ran HijackThis again and have included the log at the end of this post. Maybe there was a line that should be deleted but was missed, or I made a mistake somewhere. Can you please, please help me with this.

1. Checked the boxes in front of the lines I was told to in Response #1.

2. After clicking “Fix Checked” and clicking on “Yes” on a popup window that asked if I was sure I wanted to delete the 27 selected lines.

3. Then I Got 4 Popup Windows (Same Text);
Registry Editor:
Registry editing has been disabled by your administrator.

4. Another Popup;
HijackThis:
HijackThis is about to remove a BHO and the corresponding file from your system. Close all Internet Explorer windows AND all Windows Explorer windows before continuing for the best chance of success.

5. Last Popup;
Said something about needing to restart the computer, so I clicked a button allowing restart. During restart, I continuously hit the F8 key to be able to boot in Safe Mode. My flash drive with the only the 2 programs and the HijackThis log file on it, was still plugged in. After about 30 seconds, the screen was all black with a short line of text at the top saying, “Missing Operating System.” I tried the restart again without the flash drive in and was able to boot in Safe Mode.

6. Without the Internet in Safe Mode, I installed the “mbam-setup” tool from my flash drive. In the last window of the installation, with the “Launch” box being checked, I clicked “Finish.”

7. Received Popup;
Setup:
Unable to execute file:
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
CreateProcess failed; code 2.
The system cannot find the file specified.

8. Tried running it other ways, but none of them worked.

9. Ran HijackThis again. The Results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:48 PM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe
G:\Spyware Removal Programs 03-31-10\Hijack This (From Geek Police).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.com
O1 - Hosts: 67.215.240.115 google.com.au
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.be
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.com.br
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.ca
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.ch
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.de
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.dk
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.fr
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.ie
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.it
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.co.jp
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.nl
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.no
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.co.nz
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.pl
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.se
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.co.uk
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 google.co.za
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 search.yahoo.com
O1 - Hosts: 67.215.240.115 [You must be registered and logged in to see this link.]
O1 - Hosts: 67.215.240.115 uk.search.yahoo.com
O1 - Hosts: 67.215.240.115 ca.search.yahoo.com
O1 - Hosts: 67.215.240.115 de.search.yahoo.com
O1 - Hosts: 67.215.240.115 fr.search.yahoo.com
O1 - Hosts: 67.215.240.115 au.search.yahoo.com
O2 - BHO: C:\WINDOWS\system32\imoal9.dll - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\imoal9.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [yafofohot] Rundll32.exe "c:\windows\system32\wuduluto.dll",a
O4 - HKLM\..\Run: [wiroyofeye] Rundll32.exe "rorivano.dll",s
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Security Guard] "C:\Documents and Settings\All Users\Application Data\41fae04\SG41fa.exe" /s /d (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ccagent.exe] C:\WINDOWS\system32\config\systemprofile\Application Data\Control Components\ccagent.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Security Guard] "C:\Documents and Settings\All Users\Application Data\41fae04\SG41fa.exe" /s /d (User 'Default user')
O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\narrator.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: c:\windows\system32\wuduluto.dll,gemewoda.dll
O21 - SSODL: yuzegeruk - {8e3cf70a-b5db-48f3-93f9-15c3f869d9cd} - c:\windows\system32\wuduluto.dll
O22 - SharedTaskScheduler: jsg9dgjisdogje94guiofjgd - {A9BA40A1-74F1-52BD-F434-00B15A2C8953} - C:\WINDOWS\system32\imoal9.dll
O22 - SharedTaskScheduler: kupuhivus - {8e3cf70a-b5db-48f3-93f9-15c3f869d9cd} - c:\windows\system32\wuduluto.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7592 bytes

Thank You,
Tracy

katkittypro
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-03-31
OS OS : Windows 7
Points Points : 24518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please Help - Hijack This Log

Post by Belahzur on 1st April 2010, 11:25 pm

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please Help - Hijack This Log

Post by katkittypro on 2nd April 2010, 9:15 pm

Dad’s Computer “User Protection” Virus
GeekPolice Forum
“Please Help – HijackThis Log” Post #3 (Response to Response #2)

No, my dad does have an Anti-Virus program installed as periodically scans his computer. Also, when he is working on his computer, it runs in the background making sure viruses or other threats don’t infect his computer, but somehow this one got through.

As far as installing the anti-virus program that you suggested, I wish I could. As stated earlier, I wasn’t able to install the Malwarebytes' Anti-Malware program that I downloaded from another thread in this forum (by using another computer and putting it on a flash drive). I can’t even get the anti-virus program on his computer to start up and scan his computer. That’s the problem, for the most part, I can’t get anything to run except open “My Computer” and the flash drive. I was really surprised that I was able to run HijackThis, get the log and even save it.

So unfortunately I can’t do your suggestion about the anti-virus program. Are there any other suggestions on how I can go about fixing the computer? Please, Please.

Thank you,
Tracy

katkittypro
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-03-31
OS OS : Windows 7
Points Points : 24518
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please Help - Hijack This Log

Post by Belahzur on 3rd April 2010, 12:27 am

Hello.
Sorry to say, but the machine DOESN'T have antivirus protection, each AV has service, and I'm not seeing any services related to AV software.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please Help - Hijack This Log

Post by katkittypro on 3rd April 2010, 2:20 am

I know he does have Ad-Aware and another one from Lavasoft. When I try to start/run them, with the virus on the computer, it acts like they don't exist. For example, say you deleted a program through "Add/Remove Programs" but after it has been deleted there is still the icon for it on the desktop and when you try to open it, you get an error message. That is how it is for almost everything on his computer.
I really appreciate you taking the time to review my HijackThis log and your help with this. I talked to my dad about it and I suggested that he ask my brother to look at his computer since he knows a lot about computers but can be stubborn on helping other, or he could take it to BestBuy and they Geek Squad look at it and try and fix it. I think that since there is a good chance that there are multiple areas of the computer that are damaged and it might be easier and quicker if someone can physically look at it instead of me (with only basic computer knowledge) try to type a post explaining things, then waiting up to 24 hours (thank you for the quick responses), they trying to follow the suggestions, then type another post and so forth. So, my dad is going to try and get my brother to look into it and if my brother is being a jerk about it, my dad will take it to the Geek Squad.

Thank you for all your help, you have been great.
Take Care,
Tracy

katkittypro
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-03-31
OS OS : Windows 7
Points Points : 24518
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum