Major problems, please Help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by the_BALD_guy, Nov 22, 2004.

  1. the_BALD_guy

    the_BALD_guy Private E-2

    I am running windows xp pro with sp1, AntiVir 6, and Spywareblaster. I run Spybot S&D, and AdawareSE on a daily basis. I have tried everything on the READ ME FIRST BEFORE ASKING FOR SUPPORT tutorial but I am still having problems. I am stumped. Does anyone have any suggestions?
     
    the_BALD_guy, Nov 22, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi Bald Guy,

    It looks like you've pretty much exhausted the Tutorial's options.

    Please go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    Send us a log and we'll go from there ;) I'll try to check back when I get a chance. Note that I have a lot of threads ahead of yours and very little free time these days. Please be patient :) Our resident expert Chaslang will be back in a day or so and we'll be able to get caught up!

    Best,
    PP
     
    PhilliePhan, Nov 22, 2004
    #2
  3. the_BALD_guy

    the_BALD_guy Private E-2

    Hey PhilliePhan, I appreciate your support. I've been struggling with this for three days and my brain is fried. The HijackThis log is attached if somebody can take a look at it. Once again thanks for the help......bald
     

    Attached Files:

    the_BALD_guy, Nov 23, 2004
    #3
  4. Kodo

    Kodo SNATCHSQUATCH

    did you try that alternate scans listed at the bottom of our tutorial?
     
    Kodo, Nov 23, 2004
    #4
  5. the_BALD_guy

    the_BALD_guy Private E-2

    Yes I tried Bitdefender and RavAntivirus but I couldnt get the Trojanscan page to load.
    I can only get online in safe mode and even then I can only stay on for 5min. or so before Internet Explorer stops responding. Arghhhhhhhhh!
     
    the_BALD_guy, Nov 23, 2004
    #5
  6. Kodo

    Kodo SNATCHSQUATCH

    Kodo, Nov 23, 2004
    #6
  7. the_BALD_guy

    the_BALD_guy Private E-2

    Yes I am using a-squared as well......however when I try to run it today the main screen comes up and when I click on the "scan my computer" icon, the program freezes
     
    the_BALD_guy, Nov 23, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a lot of problems indicated in your log including an HSA hijacker and a load of trojans. When we finish fixing these problems you must go to Windows update and get your OS updated. You are seriously out of date. I'm working your log now. It will take some time to go thru. There are many problems.
     
    chaslang, Nov 23, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Nov 23, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After following my previous messages, do the below.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    systemwin32s.exe
    klsuicbn.exe
    SAI.exe
    mscl32.exe
    windowsXT.exe
    msrpc32.exe
    logfiles.exe
    wvsvc.exe
    sres32.exe
    iexplore.exe
    sysloger.exe
    WinTaskAd.exe
    acpiupd.exe
    WinSched.exe
    dasc.exe
    w?nlogon.exe
    msrpc32.exe
    windup.exe
    msnmsg.exe
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pcqxt.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pcqxt.dll/sp.html#28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pcqxt.dll/sp.html#28129
    R3 - Default URLSearchHook is missing
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
    O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\ELITES~1\ELITES~1.DLL
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
    O4 - HKLM\..\Run: [Win32 USB2 Driver] winsnd32.exe
    O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] snbkqowua.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\lsltoxo.exe
    O4 - HKLM\..\Run: [Windows service] SAI.exe
    O4 - HKLM\..\Run: [WinAC v4] klsuicbn.exe
    O4 - HKLM\..\Run: [Microsoft WinJPG] msjp32.exe
    O4 - HKLM\..\Run: [MSWindows SysCl] mscl32.exe
    O4 - HKLM\..\Run: [x80] test.exe
    O4 - HKLM\..\Run: [blah service] windowsXT.exe
    O4 - HKLM\..\Run: [DarKNesS LsasS] LsasS2.exe
    O4 - HKLM\..\Run: [*windows update] wuacrlt.exe
    O4 - HKLM\..\Run: [Wlan Driver] avscan.exe
    O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
    O4 - HKLM\..\Run: [Microsoft MSGPLUS32 Protocol] msgplus32.exe
    O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
    O4 - HKLM\..\Run: [MS Remote Procedure Call] msrpc32.exe
    O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\logfiles.exe
    O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\Run: [Starting up] wvsvc.exe
    O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
    O4 - HKLM\..\Run: [WindowsRegKey update] windup.exe
    O4 - HKLM\..\Run: [Internet Explorer] iexplore.exe
    O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kehjprcf.exe
    O4 - HKLM\..\Run: [Windows SYSLOG Manager] sysloger.exe
    O4 - HKLM\..\Run: [msn] msnmsg.exe
    O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winmah32.exe
    O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
    O4 - HKLM\..\Run: [Microsoft ACPI Update] acpiupd.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winsnd32.exe
    O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] snbkqowua.exe
    O4 - HKLM\..\RunServices: [Windows service] SAI.exe
    O4 - HKLM\..\RunServices: [WinAC v4] klsuicbn.exe
    O4 - HKLM\..\RunServices: [Microsoft WinJPG] msjp32.exe
    O4 - HKLM\..\RunServices: [MSWindows SysCl] mscl32.exe
    O4 - HKLM\..\RunServices: [x80] test.exe
    O4 - HKLM\..\RunServices: [blah service] windowsXT.exe
    O4 - HKLM\..\RunServices: [DarKNesS LsasS] LsasS2.exe
    O4 - HKLM\..\RunServices: [*windows update] wuacrlt.exe
    O4 - HKLM\..\RunServices: [Wlan Driver] avscan.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
    O4 - HKLM\..\RunServices: [Microsoft MSGPLUS32 Protocol] msgplus32.exe
    O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
    O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe
    O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
    O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
    O4 - HKLM\..\RunServices: [WindowsRegKey update] windup.exe
    O4 - HKLM\..\RunServices: [Internet Explorer] iexplore.exe
    O4 - HKLM\..\RunServices: [Windows SYSLOG Manager] sysloger.exe
    O4 - HKLM\..\RunServices: [msn] msnmsg.exe
    O4 - HKLM\..\RunServices: [Microsoft ACPI Update] acpiupd.exe
    O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
    O4 - HKLM\..\RunOnce: [WinAC v4] klsuicbn.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] winsnd32.exe
    O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] snbkqowua.exe
    O4 - HKCU\..\Run: [Aear] C:\Documents and Settings\-psycho-\Application Data\dasc.exe
    O4 - HKCU\..\Run: [Adj] C:\WINDOWS\System32\w?nlogon.exe
    O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
    O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
    O4 - HKCU\..\Run: [WinAC v4] klsuicbn.exe
    O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe
    O4 - HKCU\..\Run: [winsocksss] awm.exe
    O4 - HKCU\..\Run: [x80] test.exe
    O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
    O4 - HKCU\..\Run: [Microsoft MSGPLUS32 Protocol] msgplus32.exe
    O4 - HKCU\..\Run: [MS Remote Procedure Call] msrpc32.exe
    O4 - HKCU\..\Run: [Internet Explorer] iexplore.exe
    O4 - HKCU\..\Run: [Starting up] wvsvc.exe
    O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
    O4 - HKCU\..\Run: [WindowsRegKey update] windup.exe
    O4 - HKCU\..\Run: [msn] msnmsg.exe
    O4 - HKCU\..\Run: [Microsoft ACPI Update] acpiupd.exe
    O4 - HKCU\..\RunServices: [msn] msnmsg.exe
    O4 - HKCU\..\RunOnce: [WinAC v4] klsuicbn.exe
    O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchmiracle.com
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02f17d307e8cf5413820/netzip/RdxIE601.cab
    O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Emfnlg32.dll (file missing)


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\pcqxt.dll
    C:\WINDOWS\System32\systemwin32s.exe
    C:\WINDOWS\System32\klsuicbn.exe
    C:\WINDOWS\System32\SAI.exe
    C:\WINDOWS\System32\mscl32.exe
    C:\WINDOWS\System32\windowsXT.exe
    C:\WINDOWS\System32\msrpc32.exe
    C:\WINDOWS\logfiles.exe
    C:\WINDOWS\System32\wvsvc.exe
    C:\WINDOWS\System32\sres32.exe
    C:\WINDOWS\System32\iexplore.exe
    C:\WINDOWS\System32\sysloger.exe
    C:\Program Files\Windows TaskAd <--- delete the whole directory
    C:\WINDOWS\System32\acpiupd.exe
    C:\Documents and Settings\-psycho-\Application Data\dasc.exe
    C:\WINDOWS\System32\w?nlogon.exe
    C:\WINDOWS\System32\msrpc32.exe
    C:\WINDOWS\System32\windup.exe
    C:\WINDOWS\System32\msnmsg.exe
    C:\WINDOWS\System32\winsnd32.exe
    C:\WINDOWS\System32\snbkqowua.exe
    C:\WINDOWS\System32\lsltoxo.exe
    C:\WINDOWS\System32\msjp32.exe
    C:\WINDOWS\System32\test.exe
    C:\WINDOWS\System32\LsasS2.exe
    C:\WINDOWS\System32\wuacrlt.exe
    C:\WINDOWS\System32\avscan.exe
    C:\WINDOWS\System32\vpc32.exe
    C:\WINDOWS\System32\msgplus32.exe
    C:\WINDOWS\System32\
    C:\WINDOWS\logfiles.exe
    C:\WINDOWS\System32\kehjprcf.exe
    C::\windows\system32\winmah32.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Nov 23, 2004
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds