Hjackthis exe

- 07:02 PM I followed all the steps but am unable to run hiack this now! It's disabled m antivirus stuff as well....however I was able to run XOFTspy and it said it quarantined a number of problems that I knew were there and hopefully it has removed them....I'm trying to restart and run hjackthis.....here is my ewido log ....a side note i renamed one of the fixed files.--------------------------------------------------------- ewido anti-malware - Scan report--------------------------------------------------------- + Created on: 8:39:29 PM, 5/23/2006 + Report-Checksum: 1A314F9E + Scan result: [232] C:\Documents and Settings\All Users\Documents\Settings\20242402.dll -> Proxy.Xorpix.u : Error during cleaning C:\awcqywdq.exe -> Downloader.Small.ctf : Cleaned with backup C:\awuakqbw.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup C:\Documents and Settings\Gary McCue\Local Settings\Temp\20233C6.tmp -> Proxy.Xorpix.u : Cleaned with backup C:\Documents and Settings\Gary McCue\Local Settings\Temp\202B2F3.tmp -> Proxy.Xorpix.u : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Application Data\3ad33ab6.exe -> Downloader.Small.csn : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Temp\174.exe -> Downloader.Tiny.bw : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Temporary Internet Files\Content.IE5\37N3551C\bmlgjeg[1].txt -> Downloader.Small.csn : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Temporary Internet Files\Content.IE5\FBM0TFHA\kwvgb[1].txt -> Proxy.Small.bo : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Temporary Internet Files\Content.IE5\FBM0TFHA\plfeqcamh[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Temporary Internet Files\Content.IE5\J6HAFLMK\bwitsrqbw[1].txt -> Downloader.Small.ctf : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Temporary Internet Files\Content.IE5\J6HAFLMK\rzhtsdpb[1].txt -> Trojan.Sinowal.q : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Temporary Internet Files\Content.IE5\J6HAFLMK\upbwlxiu[1].txt -> Hijacker.StartPage.adi : Cleaned with backup C:\Documents and Settings\Gary McCue.PC311047611813\Local Settings\Temporary Internet Files\Content.IE5\MNXFIJ0I\dpkjvts[1].txt -> Trojan.Regger.s : Cleaned with backup C:\hpdjyy.exe -> Trojan.Regger.s : Cleaned with backup C:\Program Files\ryads.exe -> Hijacker.StartPage.adi : Cleaned with backup C:\Program Files\SpySheriff -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\base.avd -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\base001.avd -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\base002.avd -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\found.wav -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\heur000.dll -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\heur001.dll -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\heur002.dll -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\heur003.dll -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\notfound.wav -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\removed.wav -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\SpySheriff.dvm -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\SpySheriff.exe -> Adware.SpySheriff : Cleaned with backup C:\Program Files\SpySheriff\Uninstall.exe -> Adware.SpySheriff : Cleaned with backup C:\splp.exe -> Trojan.Sinowal.q : Cleaned with backup C:\tpjtsip.exe -> Downloader.Small.csn : Cleaned with backup C:\WINDOWS\system32\0mcamcap.exe -> Proxy.Small.bo : Cleaned with backup C:\WINDOWS\system32\3ad33ab6.exe -> Downloader.Small.csn : Cleaned

Remover. Save it in the same folder you made earlier (c:\BFU).Do not do anything with these yet!Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.4. Once in Safe Mode, Open Ewido:Click on scannerClick on Complete System Scan and the scan will begin.You will be prompted to clean the first infection.Select "Perform action on all infections", then proceed.Once the scan has completed, there will be a button located on the bottom of the screen named Save reportClick Save report.Save the report .txt file to your desktop or a location where you can find it easily.Close ewido anti-malware.5. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)Wait for the complete script execution box to pop up and press OK.Press exit to terminate the BFU program.Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log. 0 Back to top --> #9 jwoo0414 Posted 23 May 2006 - 03:38 PM Ewido just found an infection called: Worm.Monikey.m it is lovated in C:\windows\TEMPthe file is called pol3E40.tmp 0 Back to top --> #10 RiP Posted 23 May 2006 - 03:39 PM RiP Malware Expert Retired Staff 8,430 posts Hello, jwoo0414.It looks like we posted at the same time, I just posted instructions for you 0 Back to top --> Advertisements Register to Remove --> #11 jwoo0414 Posted 23 May 2006 - 04:27 PM The scan is almost done! Sorry it's taking sooo long....for some reason Ewido takes like an hour to complete 0 Back to top --> #12 jwoo0414 Posted 23 May 2006 - 05:37 PM Ok sorry.....went to go check on the scan and it somehow shut off the computer....not sure what is going on but I will try it again. Is there a way to speed up the scan? I'll post my hjackthis log asap. Sorry for holding you up....may need to take a break in between but I will post as soon as I can 0 Back to top --> #13 jwoo0414 Posted 23 May 2006

And I don't want to risk further infection. I have unplugged the internet cable. Thank you for your help! 0 Back to top --> Advertisements Register to Remove --> --> -- > #2 RiP Posted 23 May 2006 - 02:59 PM RiP Malware Expert Retired Staff 8,430 posts Hello, jwoo0414.I need you to do the following for me:Since you don't have internet access on the infected computer, you're going to need to transfer the files via usb, cd, floppy, etc... Please download WinsockFix here and do the following: Click the "ReG-Backup" button and follow the prompts. Click the "Fix" button and restart your computer.Click the START button > Select Run > type in "msconfig" (without the quotes) and press OK > Select Normal Startup - load all device drivers and services > Then click Apply and then OK. It will give you two options: Restart and Exit Without Restart, select Restart.Then please post back with a new HijackThis log. 0 Back to top --> #3 jwoo0414 Posted 23 May 2006 - 03:02 PM Do I do all of this in safe mode or regular? 0 Back to top --> #4 jwoo0414 Posted 23 May 2006 - 03:03 PM Do I do all of this in safe mode or regular? 0 Back to top --> #5 jwoo0414 Posted 23 May 2006 - 03:23 PM Here's my latest hjackthis log file. Looks like the sucker is still there errrrrLogfile of HijackThis v1.99.1Scan saved at 5:18:41 PM, on 5/23/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\windows\System32\smss.exeC:\windows\system32\winlogon.exeC:\windows\system32\services.exeC:\windows\system32\lsass.exeC:\windows\system32\svchost.exeC:\windows\system32\svchost.exeC:\windows\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\windows\system32\spoolsv.exeC:\windows\Explorer.EXEC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\ewido anti-malware\ewidoguard.exeC:\WINDOWS\system32\HPConfig.exeC:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exeC:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\System32\hphmon05.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\windows\System32\carpserv.exeC:\windows\System32\svchost.exeC:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeC:\Program Files\Common Files\AOL\1129778967\ee\AOLSoftware.exeC:\Program Files\QuickTime\qttask.exeC:\windows\System32\funk.exeC:\windows\System32\manset.exeC:\Program Files\XoftSpySE\xoftspy.exeC:\Program Files\TrojanHunter 4.5\THGuard.exeC:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\windows\System32\wuauclt.exeC:\Documents and Settings\Gary McCue.PC311047611813\Desktop\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.htmlR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = - REG:system.ini: Shell=O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dllO2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

Wintrust.dll regsvr32.exe /s initpki.dll regsvr32.exe /s dssenh.dll regsvr32.exe /s rsaenh.dll regsvr32.exe /s gpkcsp.dll regsvr32.exe /s sccbase.dll regsvr32.exe /s slbcsp.dll regsvr32.exe /s cryptdlg.dll regsvr32.exe /s Urlmon.dll regsvr32.exe /s Oleaut32.dll regsvr32.exe /s msxml2.dll regsvr32.exe /s Browseui.dll regsvr32.exe /s shell32.dll regsvr32.exe /s Mssip32.dll regsvr32.exe /s atl.dll regsvr32.exe /s jscript.dll regsvr32.exe /s msxml3.dll regsvr32.exe /s softpub.dll regsvr32.exe /s wuapi.dll regsvr32.exe /s wuaueng.dll regsvr32.exe /s wuaueng1.dll regsvr32.exe /s wucltui.dll regsvr32.exe /s wups.dll regsvr32.exe /s wups2.dll regsvr32.exe /s wuweb.dll regsvr32.exe /s scrrun.dll regsvr32.exe /s msxml6.dll regsvr32.exe /s ole32.dll regsvr32.exe /s qmgr.dll regsvr32.exe /s qmgrprxy.dll regsvr32.exe /s wucltux.dll regsvr32.exe /s muweb.dll regsvr32.exe /s wuwebv.dll REM reset winsock netsh winsock reset REM reset proxy netsh winhttp reset proxy REM restart services sc.exe config wuauserv start= auto sc.exe config bits start= delayed-auto sc.exe config cryptsvc start= auto sc.exe config TrustedInstaller start= demand sc.exe config DcomLaunch start= auto net start bits net start wuauserv net start appidsvc net start cryptsvc REM Install the latest Windows Update Agent. REM start