Hijackthis Log [Please Help]

Discussion in 'Computer Support' started by dbru, Nov 9, 2004.

  1. dbru

    dbru Guest

    Hello, my PC got hit hard with some virus crap. There are several files that
    copied themselves to my desktop and I can't delete them, because it says
    they're read/write only. The files are...

    ploint.exe
    m00.exe.1
    winln.exe
    sipot.exe
    madopew.dll
    vcsystem.exe
    fierm.exe

    I've run the current Ad-Aware, Spybot, About Buster and CWShredder and some
    of those find tons of files, but non seem to take care of the problem, I've
    also run Hijackthis, but don't know which files to delete for sure, I took
    out the ones with the above file names, but some seem to reappear. Please
    help if you can... Here is my log file from Hijackthis... Thank you
    Logfile of HijackThis v1.98.0
    Scan saved at 5:29:56 PM, on 11/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\scagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\documents and settings\derek brubaker\desktop\vcsystem.exe
    C:\documents and settings\derek brubaker\desktop\winln.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\waqwqm.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    C:\MyTemp\Misc\HijackThis.exe

    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} -
    C:\WINDOWS\localNRD.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
    C:\WINDOWS\systb.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program
    Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [Disc Detector] C:\Program
    Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash
    Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program
    Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
    Foundation\CFD.exe
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual
    IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
    Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge]
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [rmptrxs] C:\WINDOWS\System32\waqwqm.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Program
    Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self
    Support Tool\bin\matcli.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
    Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
    Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login -
    {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
    Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
    Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
    C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
    C:\PROGRA~1\ICQ\ICQ.exe
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! MahJong Solitaire -
    http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
    http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
    http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} -
    C:\WINDOWS\httpfilter.dll
     
    dbru, Nov 9, 2004
    #1
    1. Advertisements

  2. {6224f700-cba3-4071-b251-47cb894244cd} -
    copy all the shit to a temp dir

    then go into dos and delete em

    use safe mode if you have to.
     
    PhEaSaNt PLuCKeR, Nov 10, 2004
    #2
    1. Advertisements

  3. dbru

    mark mandel Guest

    {6224f700-cba3-4071-b251-47cb894244cd} -
    Copy this to a PERMANENT folder and then post it over at www.pcguide.com
    where one of the really informed geeks will give you a thorough checkup on
    it.
     
    mark mandel, Nov 10, 2004
    #3
  4. dbru

    dbru Guest

    Thanks for the suggestions, the only problem I worry about with deleting
    them, is that I have a feeling there are other files in my windows folders
    that need deleting also, but I'm unsure which ones. In the past I thought I
    took care of the problem, but it just kept coming back to haunt me, till I
    found the .exe file hidden deep in a folder and deleted it. Thanks for the
    help. I'm going to keep working...


     
    dbru, Nov 10, 2004
    #4
  5. dbru

    dbru Guest

    Ok, I think I fixed it... Had to boot in Safe Mode to delete the files, then
    run my virus programs to fix it. Seems ok now though. Thanks for the help...


     
    dbru, Nov 10, 2004
    #5
  6. Howdy!

    Stop these two.

    Then delete the files.

    General rule: If it's in "DOcuments and Settings" ANYTHING whack it
    out.
    Uninstall EbatesMoeMoneyMaker from Add/Remove Programs, then run
    CWShredder in "Safe" mode, followed by Ad-Aware in "Safe" mode followed by
    Spybot in "Safe" mode, followed by HiJackThis and create a new log file, all
    in safe mode.

    Again, from Safe mode, kill these from within HiJackThis then delete
    the files themselves.

    The others? I'd google for - there's a metric buttload that I just
    don't recognize.

    RwP
     
    Ralph Wade Phillips, Nov 10, 2004
    #6
  7. dbru

    Bill P Guest

    You could copy and paste the log here:-

    http://hijackthis.de/index.php?langselect=english

    and follow the instructions.
    Regards
    Bill

    {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    {6224f700-cba3-4071-b251-47cb894244cd} -
     
    Bill P, Nov 10, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.