«

[dosraider]

Pretty hopeless, isn't it _r.u.s.s. ?

Sometimes I forget it's useless to try to help some peeps, and post even if I should know by now they are beyond any help you can offer them.

Ahwell, sad but true.



....walks away .......

[Kuisoon11]

Trying this in parts.. won't let me post a whole thing :\

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:44:33 PM, on 8/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSour...ctid=CT2535290
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files\Softonic-Eng7\tbSof1.dll
R3 - URLSearchHook: Messenger Plus Live CA-EN Toolbar - {437c4386-9237-441f-a940-009430030ee0} - C:\Program Files\Messenger_Plus_Live_CA-EN\tbMes1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files\Softonic-Eng7\tbSof1.dll
O2 - BHO: Messenger Plus Live CA-EN Toolbar - {437c4386-9237-441f-a940-009430030ee0} - C:\Program Files\Messenger_Plus_Live_CA-EN\tbMes1.dll
O2 - BHO: UrlHelper Class - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files\iMesh Applications\MediaBar\DataMngr\IEBHO.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Bandoo IE Plugin - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll
O3 - Toolbar: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - C:\Program Files\Softonic-Eng7\tbSof1.dll
O3 - Toolbar: Messenger Plus Live CA-EN Toolbar - {437c4386-9237-441f-a940-009430030ee0} - C:\Program Files\Messenger_Plus_Live_CA-EN\tbMes1.dll
O4 - HKLM\..\Run: [wvwxyasys] rundll32.exe "jkhebx.dll",DllRegisterServer
O4 - HKLM\..\Run: [efdcdddrv] rundll32.exe "efddcb.dll",s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [tuvwusdrv] rundll32.exe "efddcb.dll",s
O4 - HKUS\S-1-5-18\..\Run: [opopnosys] rundll32.exe "jkhebx.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [wmsdk64_32.exe] C:\WINDOWS\TEMP\wmsdk64_32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ljkljkdrv] rundll32.exe "efddcb.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [opopnosys] rundll32.exe "jkhebx.dll",DllRegisterServer (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sarah\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
(why isn't it let me post this T___T)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169245842125
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (file missing)
O20 - AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 7552 bytes

There is one line that it just will not let me post :S hold on I'll figure something out

I can't seem to post the rest at the moment... it keeps saying the server gets restarted or something *sigh* stupid technology

I ran Autoruns and Process explorer but I have no clue what I'm looking for in those logs ...

I also tried to downloaded Microsoft Security essentials like you said, but when I try to download it I get a command prompt message saying "program is too big to fit in memory" :S

And if this is any help one of the error reports is called "dr watson postmortem debugger error" Some people say its nothing some say its a virus but i don't know, it pops up numerous times while I'm on the computer, even the moment I start up before I do anything it pops up. Hope that helps some maybe :S

Oh and i ran my scan in safe mode but stuffs still going wrong. I notice it seems to keep finding the same viruses over and over even though it says it fixes them... I should have wrote them down for you next scan I will!

Sorry for being so helpless guys

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

(I had to delete the website listed to let me post this :\)

[The Fifth Horseman]

Quote:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555

http://forums.malwarebytes.org/index...dpost&p=169492

Quote:

O4 - HKUS\S-1-5-18\..\Run: [wmsdk64_32.exe] C:\WINDOWS\TEMP\wmsdk64_32.exe

NO LEGIT SOFTWARE autoruns from the \TEMP directory. Remove entry. Boot into Safe Mode. Delete the file or rename it.

Quote:

O4 - HKLM\..\Run: [efdcdddrv] rundll32.exe "efddcb.dll",s
O4 - HKCU\..\Run: [tuvwusdrv] rundll32.exe "efddcb.dll",s
O4 - HKUS\S-1-5-18\..\Run: [ljkljkdrv] rundll32.exe "efddcb.dll",s (User 'SYSTEM')

Malware >> http://www.superantispyware.com/malw...JGGGF.DLL.html
Remove entry. Boot into Safe Mode. Delete or rename the file.

Quote:

O4 - HKLM\..\Run: [wvwxyasys] rundll32.exe "jkhebx.dll",DllRegisterServer
O4 - HKUS\S-1-5-18\..\Run: [opopnosys] rundll32.exe "jkhebx.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [opopnosys] rundll32.exe "jkhebx.dll",DllRegisterServer (User 'Default user')

Malware >> http://www.prevx.com/filenames/X3341...YWXYV.DLL.html http://www.prevx.com/filenames/40688...VWUVT.DLL.html
Remove entry. Boot into Safe Mode. Delete or rename the file.

Note: The removal should be done simultaneously. So should be deletion. Some of those assholes have a tendency to come back if even only one of their files was left on your system (been there when cleaning malware from a PC at work in 2008)

[Kuisoon11]

Oh thank you! Thanks to everyone. It seems the situation has been cleared. All the random system errors have stopped and iexplore.exe has stopped running. I'm very glad thank you again

[The Fifth Horseman]

That doesn't mean your system is clean yet.
Make another scan with Spybot and HijackThis, posibly also with another anti-malware/anti-virus program. If nothing shows up, then the problem is most likely solved.

Also, use pastebin for the new log: http://pastebin.com/

[Kuisoon11]

Forgive me guys, new problem arised... please view my new thread for details since it is quite unrelated and diffrent to my previous problem. I thought a new thread would help attract people who knew how to fix my new problem otherwise I would have just posted it here. Sorry for all the trouble I'm causeing

[KrazeeXXL]

Quote:

Originally Posted by Wicky

It's unavoidable that windows becomes slower after a long time. Sometimes you just have to reinstall it fresh.

In a case of a serious infection is this statement pure mirage.
Just to be sure you should check your MBR.
If it is infected you're in deep trouble and even a complete reinstallation won't help.

Try Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

A nice and easy to use tool is System Explorer. My biggest requirement for an advanced task-manager was that it forces itself to the foreground in no time no matter what. But I'm impressed about this piece of software. It's quite better then the process explorer imho.

If you got a process you don't know about you can simply send it to virustotal.com. It then checks the checksum and in most cases this file was scanned b4 and you also got comments from other users about this file. Is it a threat or not. Can be helpful in lots of cases. Especially when you got 5 similiar looking svchost.exe running

edit: check the in and outgoing traffic with your firewall or specialized programs. when there's an svchost.exe listed as outgoing you can be sure that you got malware on your PC