Register Members List Social Groups Search Today's Posts Mark Forums Read  
Computer Forums

Member Login

Remember Me? Sign Up! | Forgot Password
 
Slogan
 
Computer Forums > The World Wide Web > Virus - Spyware Protection / Detection » Need some help
Closed Thread
LinkBack Thread Tools Display Modes
 
Old 02-18-2008, 09:59 PM   #1 (permalink)
 
Newb Techie

Join Date: Feb 2008

Posts: 2

Aperfectcirle is on a distinguished road
Default Need some help
Ya ive done most of the things... atleast the things i could do in the guide but i can't install anything i thinks its because of the virus =/ it says "the file may be corrupt" or somthing along the lines of that but i know the file is fine it just doesn't let me install some things anymore.

heres my hijack
Attached Files
File Type: txt Hijack.txt (7.3 KB, 45 views)
Aperfectcirle is offline  
Old 02-18-2008, 10:14 PM   #2 (permalink)
Mak213's Avatar
 

Join Date: Sep 2004

Location: C:\Windows\System32

Posts: 25,730

Mak213 is a name known to allMak213 is a name known to allMak213 is a name known to allMak213 is a name known to allMak213 is a name known to allMak213 is a name known to all
Default Re: Need some help
It seems alright.

O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

That can go. There are 3 toolbars loded. Can uninstall them if you dont use them. But nothing that resembles a virus is on that from what i see.

Also choose McAfee or AVG. Dont run both.

Edit
Removed Log since i went thru it in detail below.
__________________
R.I.P. Danny L. Trotter
14 Nov 1945 - 4 Sept 2009
Images created by CarnageX | Decaptured...Listen! | Visit Baezware!! | You've been Mak'd! | 儿做好
I do not accept support questions via EMail, PM, IM or my Spaces page! .:|:. This is what happens when an unstoppable force meets an immovable object.
Thanks to all the guys on the staff for your support in my time of need. Hefe you are my personal Hero for your contribution.



<<<< If I help you, or you just like what I said, rep me
Last edited by Mak213; 02-19-2008 at 02:55 AM.
Mak213 is offline  
Old 02-18-2008, 11:30 PM   #3 (permalink)
 
Newb Techie

Join Date: Feb 2008

Posts: 2

Aperfectcirle is on a distinguished road
Default Re: Need some help
Eh, i think theres more wrong then that. i did that restarted computer and now there is 2 new files wich i never dl or put there "windows update" and "help and support center" but there obviously fakes. and i can't click my computer now or "find target" anything =( so i cant get to hijack and delete what you told me >.<

also on startup got this error. never had it before

"During a scan of files at system startup, potential errors in the system registry were found.
p-07-0100 irql: 1fSYSVER 0xff00024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED"

can't seem to delete anything go into control panel or anything O.o
Aperfectcirle is offline  
Old 02-19-2008, 02:54 AM   #4 (permalink)
Mak213's Avatar
 

Join Date: Sep 2004

Location: C:\Windows\System32

Posts: 25,730

Mak213 is a name known to allMak213 is a name known to allMak213 is a name known to allMak213 is a name known to allMak213 is a name known to allMak213 is a name known to all
Default Re: Need some help
Alrigth well i will walk you thru the log as i see it. Then Osiris can tell me if i am right or not.

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe<-- AOL
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe<--AVG
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe<--McAfee
c:\program files\mcafee.com\agent\mcdetect.exe<--Mcafee
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS<PrismXL Update software
C:\WINDOWS\Explorer.EXE<--Windows Explorer
C:\WINDOWS\system32\igfxtray.exe<--IGFXtray Intel GFX Tray Icon
C:\WINDOWS\system32\hkcmd.exe<--Intel Multemedia Device
C:\WINDOWS\zHotkey.exe<--Chicony Keyboard Utility
C:\Program Files\Digital Media Reader\shwiconem.exe<--Card reader
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe<--More McAfee
C:\WINDOWS\SOUNDMAN.EXE<--RealTek SoundMAX Driver
C:\WINDOWS\ALCWZRD.EXE<--More RealTek Driver Components
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe<--Java
C:\Program Files\MSN Messenger\msnmsgr.exe<--Msn Messenger
C:\Program Files\AT&T\WnClient\Programs\WNConnect.exe<--AT&T Connect
C:\PROGRA~1\AT&T\WnClient\Programs\WNCSMS~1.EXE<--More AT&T stuff
C:\Program Files\Starcraft\StarCraft.exe<--Starcraft Game
C:\WINDOWS\system32\svchost.exe<--Windows process
C:\Program Files\Mozilla Firefox\firefox.exe<--Firefox
C:\Program Files\MSN Messenger\usnsvc.exe<--MSN MEssenger Utility
C:\Documents and Settings\Owner\My Documents\Masterfolder\Great folder\HijackThis.exe<-- hiJack This

So far nothing out of the ordinary. That all looks good. Except for the McAfee and AVG being both installed.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AT&T<--AT&T
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer<--IE
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL<--Ask Toolbar
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll<-- AOL Toolbar
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll<--Google Toolbar
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL<--Ask Toolbar again
O4 - HKLM\..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe<--SoftThinks CD Creator
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE<--HP Recovery Partition protector
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe<--Universal Audio Architecture
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"<--AOL Spyware
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe<-- Nero
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"<--PowerDVD
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe<--Intel GFX Chip
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe<--Intel Multimedia Stuff
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe<--Chicony keyboard software
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe<--Chicony keyboard software
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe<--Card Reader
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe<--McAfee Agent
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe<--McAfee update agent
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe<--McAfee
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE<--Sound Utility
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE<--RealTek Audio
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE<--RealTek Event Monitor
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"<--Java again
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S<--Java Updater
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min<--FlashGet
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized<--AVG
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background<--MSN
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe<--Longhorn Clock
O4 - HKCU\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe<--Vista Sidebar
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe<--Vista Start Menu
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe<--Vista Orb
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"<--Transparency
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe<--This is the problem!!
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe<--Adobe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe<--Update application

So i found the rogue entry. I missed it the first time. My bad. Restart into Safe Mode and remove that entry.

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm<--FlashGet
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm<--FlashGet
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll<--AOL Toolbar
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll<--AOL Toolbar
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll<--Real Plaer
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe<--FlashGet
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe<--FlashGet
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe<--MSN
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe<--MSN
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll<--Bonjour (Used with Safari Web Browser or Apple products such as iTunes)
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE4AF2E3-CC69-4F3F-B3A5-3B8052C1A991}: NameServer = 12.102.240.2 204.127.160.4<--This could be a issue as well. Unless you know of the Tcpip service setup.
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL<--MSN Livecall
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL<--MSN IM
O20 - AppInit_DLLs: cru629.dat<--Other piece of rogue malware
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe<--Adobe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)<--Applicaton Layer Gateway
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe<--AOL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe<--AVG
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe<--Bonjour
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe<--Macrovision
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe<--Google Updater
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe<--McAfee Antispyware
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe<--McAfee
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)<--McAfee
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe<--McAfee
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS<--Prism
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)<--nothing here. This can be removed.


So i found the 2 entries i previously missed. I am sorry. You were right. I did miss them.

O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O20 - AppInit_DLLs: cru629.dat

Those need to be removed. Try to do it from safe mode. Also run combofix.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

That might remove them. Osiris will be able to tell you how to get rid fo them for sure. But i foudn them at least. Without him having to tell me i was wrong.
__________________
R.I.P. Danny L. Trotter
14 Nov 1945 - 4 Sept 2009
Images created by CarnageX | Decaptured...Listen! | Visit Baezware!! | You've been Mak'd! | 儿做好
I do not accept support questions via EMail, PM, IM or my Spaces page! .:|:. This is what happens when an unstoppable force meets an immovable object.
Thanks to all the guys on the staff for your support in my time of need. Hefe you are my personal Hero for your contribution.



<<<< If I help you, or you just like what I said, rep me
Mak213 is offline  
Old 02-19-2008, 07:06 AM   #5 (permalink)
Redmo0n's Avatar
 
Techalicious

Join Date: Aug 2007

Location: Perth, Australia

Posts: 1,573

Redmo0n is on a distinguished road

Send a message via MSN to Redmo0n
Default Re: Need some help
Quote:
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE4AF2E3-CC69-4F3F-B3A5-3B8052C1A991}: NameServer = 12.102.240.2 204.127.160.4<--This could be a issue as well. Unless you know of the Tcpip service setup.

I believe this is AT&T
__________________
Back to stay?
Redmo0n is offline  
 
Closed Thread

« HELP! What is [Installer_shopperreports.exe] and how do I remove it? | Hackers Block Access to WordPress Blogs »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Contact Us - Computer Technology Forums - Archive - Top

 

All times are GMT -5. The time now is 10:30 AM.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2 Copyright ©2002-2009, Tech-Forums.net
vBulletin skin created by Baez & Baez Computers Inc.   |   Contact Management Software and AAOutlook 		Log Out Unregistered