Can I post HJT file?

Ran all of the scans except for Norton as it would stall and am now ready to post a HJT file if yall let me. Thanks! Jeff.

 

If you have completed all of the steps in the READ ME, go ahead and post your HJT log as an attachment to your post.

Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

here it is..

 

e it is with the new HJT program

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot back into normal mode and procede with the below steps!


Now, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments.

 

ran the first scan but I can not run one in normal mode...firefox lost it's way on my disk and IE is crashing at startup...thought I saw a "best offers" on one of the pop ups... I will try the other scans in safemode.....

 

OK I could complete only 3 of the scans b/c the online scan hangs up about 1/2 way into it. doubt this will help as I could not do anything in normal mode but here are the .txt files. I dont know but it's looking like a complete reinstall of XP to me this time....

 

online scan is working now......doin it.

 

here are the files after it worked in normal XP.....

 

Download Pocket KillBox

Locate PocketKillbox
(Procede with this step even if they do not show in blue)


Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

C:\WINDOWS\io2uns.exe
C:\WINDOWS\whCC-GIANT.exe

C:\WINDOWS\System32\GSFDSDD.dll
C:\WINDOWS\System32\LWQKW.dll
C:\WINDOWS\System32\OOXNOKK.dll
C:\WINDOWS\system32\thin-138-1-x-x.exe
C:\WINDOWS\system32\mspxs32.dll
C:\WINDOWS\system32\downloadcomreporter.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tiuc.exe

After you have entered the LAST file allow Killbox to reboot your system. Afterwards attach a fresh HJT log from normal mode.

 

Ok, that's done...and I am suprised it made it this far in normal mode... here is the file. But still have a crap load of popups and it takes forever to reboot...Thanks for your help!!

 

Am I screwed? and should just start all over with a reformat and reinstall?

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Viewpoint

winCMAPP

CMSystem


Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Now please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: (no name) - {17A54BFC-8214-4F5C-B1A7-A161BFA5FDCC} - C:\PROGRA~1\XSOFTW~1\Working\IEMon.dll (file missing)
O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\System32\bho.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshlyxu.dll (file missing)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\System32\italoccu.dll
O2 - BHO: (no name) - {72FC93F8-6DEC-350D-AEE2-A2C4F19E5E9C} - C:\WINDOWS\Lmkpjzha.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsi189.dll (file missing)
O2 - BHO: (no name) - {C9314CCB-9488-178A-E60E-C0BF33DCD158} - C:\WINDOWS\System32\tmkplnvf\ulcjrecf.dll

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: Search - {C1936A1E-96E3-4158-2C36-15AF8C61C7BB} - C:\WINDOWS\Lmkpjzha.dll

O4 - HKLM\..\Run: [Seti] E:\Program Files\Norton AntiVirus\1544\1544.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\System32\testit.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [ijvutvmt] C:\WINDOWS\System32\lcxrlksk\ijvutvmt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [elos] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [mffg] C:\WINDOWS\System32\tuqcquj\mffg.exe
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [dynuu] C:\WINDOWS\System32\rnkndmg\dynuu.exe
O4 - HKLM\..\Run: [jmtnvq] C:\WINDOWS\System32\uawqgjpf\jmtnvq.exe
O4 - HKLM\..\Run: [lbcmwxag] C:\WINDOWS\System32\xaijqh\lbcmwxag.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\JEFFRE~1\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\xpmvp.exe
O4 - HKLM\..\Run: [vttco] C:\WINDOWS\System32\jbgaj\vttco.exe
O4 - HKLM\..\Run: [dcptia] C:\WINDOWS\System32\hrhvd\dcptia.exe
O4 - HKLM\..\Run: [pqxkfj] C:\WINDOWS\System32\bgfqxyi\pqxkfj.exe
O4 - HKLM\..\Run: [ksvkhurr] C:\WINDOWS\System32\yhto\ksvkhurr.exe
O4 - HKLM\..\Run: [jmtm] C:\WINDOWS\System32\glhejob\jmtm.exe
O4 - HKLM\..\Run: [vizrerc] C:\WINDOWS\vizrerc.exe
O4 - HKLM\..\Run: [ibipvdnc] C:\WINDOWS\System32\ibipvdnc.exe
O4 - HKLM\..\Run: [odjxbuie] C:\WINDOWS\System32\qbicot\odjxbuie.exe
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [CustomHK] C:\WINDOWS\System32\sgenie.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.db105.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://server02.rudisbakery.com/Remote/msrdp.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://www.andersonfloors.com:8000/ibdc/databases/actimage40930.cab

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVmZnJleSAgV2hpdGUA\command.exe
O23 - Service: dynuurnkndmg - Unknown owner - C:\WINDOWS\System32\rnkndmg\dynuu.exe
O23 - Service: ijvutvmtlcxrlksk - Unknown owner - C:\WINDOWS\System32\lcxrlksk\ijvutvmt.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: mffgtuqcquj - Unknown owner - C:\WINDOWS\System32\tuqcquj\mffg.exe
O23 - Service: odjxbuieqbicot - Unknown owner - C:\WINDOWS\System32\qbicot\odjxbuie.exe
O23 - Service: vttcojbgaj - Unknown owner - C:\WINDOWS\System32\jbgaj\vttco.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\sffllqj.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate Command Service (cmdService) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate dynuurnkndmg and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate ijvutvmtlcxrlksk and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate mffgtuqcquj and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate odjxbuieqbicot and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate vttcojbgaj and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate Windows Overlay Components and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\Program Files\CMSystem ←–– Delete this whole folder if it exist!

C:\Program Files\winCMAPP ←–– Delete this whole folder if it exist!

E:\Program Files\Norton AntiVirus\1544 ←–– Delete this whole folder if it exist!

C:\WINDOWS\SmVmZnJleSAgV2hpdGUA ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\jbgaj ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\yhto ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\glhejob ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\tmkplnvf ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\lcxrlksk ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\tuqcquj ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\rnkndmg ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\uawqgjpf ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\xaijqh ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\hrhvd ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\bgfqxyi ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\qbicot ←–– Delete this whole folder if it exist!

C:\WINDOWS\sffllqj.exe
C:\WINDOWS\vizrerc.exe
C:\WINDOWS\Lmkpjzha.dll
C:\WINDOWS\exe82.exe
C:\WINDOWS\rlvknlg.exe


C:\WINDOWS\System32\xpmvp.exe
C:\WINDOWS\System32\mmxp2passion.exe
C:\WINDOWS\System32\testit.exe
C:\WINDOWS\System32\sgenie.exe
C:\WINDOWS\System32\ibipvdnc.exe
C:\WINDOWS\System32\medgs1.exe
C:\WINDOWS\System32\bho.dll
C:\WINDOWS\System32\italoccu.dll
C:\WINDOWS\System32\WinNB57.dll
C:\WINDOWS\System32\opr.exe
C:\WINDOWS\system32\pshwr.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!