Member Panel

hickoryboyz

unable to install any spyware removal tools - adaware, spybot, etc.

Logfile of HijackThis v1.99.0
Scan saved at 3:34:47 PM, on 10/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\xeyswj.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
E:\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\imapi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Beth\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = PC Help Forum.com - Computer Tech Support
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Beth\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mfr.mlxchange.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {34B115B2-8250-DCA2-0EE7-F64A3DD7F391} - C:\WINDOWS\System32\ugowkugl.dll
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {17F9442D-C010-08BD-D354-625508A67F48} - C:\WINDOWS\System32\rgwaqk.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {34B115B2-8250-DCA2-0EE7-F64A3DD7F391} - C:\WINDOWS\System32\ugowkugl.dll
O2 - BHO: (no name) - {466B64B2-2512-4D1E-B6AA-C3741F4CB68B} - C:\WINDOWS\System32\eiid.dll (file missing)
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\setfgi.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Beth\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [LyFGaBw] C:\WINDOWS\xeyswj.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/2.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/20647/online.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {1EE6C4A6-798C-7AA6-445B-53772C154885} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {2FB3C3A5-3254-0D45-AF54-5DA00FC77EF2} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {642BA6B5-BAA6-6035-3442-13CE56164F59} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {7295B2D3-56CD-7C5B-ADB9-184C3DBE87F5} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - converting top ten tank countertops at topconverting.com
O16 - DPF: {7EBA6D58-EB2D-46F4-A363-10C4DF50B907} (SCORMAPIDLL.API) - http://www.bertrodgers.com/alp_brs_v...CORMAPIDLL.CAB
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/int...onale_ver4.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
O18 - Filter: text/plain - {D21A3C32-82CB-43D2-AA55-6DAB9B800567} - C:\WINDOWS\System32\eiid.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

joe5

Hi there Hickoryboyz, welcome to PCHF.

Your pc is very heavily infected, and it would probably be better and faster to format and reinstall windows then to spend alot of time cleaning it all up.

Is that an option for you, to reinstall windows? Or do you want to try and clean it anyway?

hickoryboyz

Thanks for the reply. I kinda figured that and I'm doing this for a friend, so yes, that is an option and definitely what I'm going to do. Thanks. I just didn't know anything about or how to read hijackthis logs. Good to have confirmation. I'm actually right now using a UBCD for Windows to clean some things, after these cleans I'm going to reboot to see what all is fixed. I'll give i another hour and then I'm reformatting if it isn't drastically better. Later.

hickoryboyz

HJT Log

joe5

Its looking abit better, but it is still a big mess I'm afraid.

If you want to clean it up then let's start with these:

Step 1. Download AboutBuster 6.0 and unzip it to your desktop.
Step 2. Boot your machine into safe mode (Optional step), recommended.
Step 3. Run AboutBuster 6.0 and select "Begin Removal". Make sure you click "Yes" to every message box that appears.
Step 4. Restart your computer and run AboutBuster one final time.

Please download AVG Anti-Spyware 7.5 (30 day free trial)

Install AVG Anti-Spyware.
Double-click the icon on Desktop to launch AVG Anti-Spyware.
Then on the top of the Status screen click on Shield.
Click the word active to change it to inactive.
You will need to update AVG Anti-Spyware to the latest definition files.
On the top of the main screen click Update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Again right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware:
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

When you have finished updating, EXIT AVG Anti-Spyware.
Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

In Safe Mode,run AVG Anti-Spyware.
Click Scanner.
Click on the Scan tab.
Click Complete System Scan to begin scanning.
When the scan is complete click on Custom (Next to "Set all elements to:") and change it to Quarantine.
Then click Apply all actions.

Once finished, click the Save report button, then click Save Report As. This will create a text file.
Make sure you save it where you know to find it again (like on the Desktop).

The default location for the "report log" is the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
(assuming of course your OS is in C:\)

Restart back into Normal Mode.

If AVG Anti-Spyware crashes or hangs:

If during your scan AVG Anti-Spyware "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. And then run a new scan.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously, the AVGas log, and a new HJT log in your next reply.

Member Panel

Sponsors and Ads

Live Tag Cloud