| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 112417 | 2010-09-05 07:32:00 | Windows Explorer constant crashing, HJT log inside | Big Blue (15973) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1134914 | 2010-09-05 07:32:00 | No idea how I got it, but I have a trojan(I think) that completely nuked my computer, I can't keep Windows Explorer open for more than a second because as soon as I restart the process it crashes again. Also, right when I start up my computer I get around 10 pop-ups asking which application to use to open a program called "Big". I'm in safe mode right now, ran scans on AdAware, Spybot, and Nod32 before deciding to HJT the problem. I'm running Windows 7 64 bit, here's my log. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 12:35:11 AM, on 9/5/2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\vVX3000.exe C:\Program Files (x86)\Proxy Switcher Standard\ProxySwitcher.exe C:\Program Files (x86)\Steam\Steam.exe C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\PowerISO\PWRISOVM.EXE C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files (x86)\Java\jre6\bin\jusched.exe C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe C:\Users\Big Blue\AppData\Local\Google\Chrome\Application\chrom e.exe C:\Users\Big Blue\AppData\Local\Google\Chrome\Application\chrom e.exe C:\Users\Big Blue\AppData\Local\Google\Chrome\Application\chrom e.exe C:\Users\Big Blue\AppData\Local\Google\Chrome\Application\chrom e.exe C:\Program Files (x86)\Java\jre6\bin\jucheck.exe C:\Users\Big Blue\AppData\Local\Google\Chrome\Application\chrom e.exe C:\Users\Big Blue\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\ Yahoo! \Companion\Installs\cpn1\yt.dll F2 - REG:system.ini: UserInit=userinit.exe O1 - Hosts: ::1 localhost O2 - BHO: & Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\ Yahoo! \Companion\Installs\cpn1\yt.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: C:\Windows\SysWow64\kadia.dll - {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - (no file) O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\ Yahoo! \Companion\Installs\cpn1\yt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE" O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [firefox] C:\Windows\system32\winlogin.exe O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [LvbQciejlpe] C:\Users\Big Blue\AppData\Local\Temp\csrss.exe O4 - HKLM\..\Run: [Mqqyc] C:\Windows\csrss.exe O4 - HKLM\..\Run: [Mquuf] C:\Windows\spoolsv.exe O4 - HKLM\..\Run: [MqsZ] C:\Windows\mdm.exe O4 - HKLM\..\Run: [LvbQciejlne] C:\Users\Big Blue\AppData\Local\Temp\lsass.exe O4 - HKLM\..\Run: [Mqqoc] C:\Windows\debug.exe O4 - HKLM\..\Run: [LvLYPiejlotc] C:\Users\BIGBLU~1\AppData\Local\Temp\hexdump.exe O4 - HKLM\..\Run: [LvLYPiejlqvc] C:\Users\BIGBLU~1\AppData\Local\Temp\svchost.exe O4 - HKLM\..\Run: [LvLYPiejlkc] C:\Users\BIGBLU~1\AppData\Local\Temp\cmd.exe O4 - HKLM\..\Run: [Mqurb] C:\Windows\taskmgr.exe O4 - HKLM\..\Run: [LvLYPiejlqf] C:\Users\BIGBLU~1\AppData\Local\Temp\user.exe O4 - HKLM\..\Run: [LvLYPiejlqW] C:\Users\BIGBLU~1\AppData\Local\Temp\drweb.exe O4 - HKLM\..\Run: [Etedacaxo] rundll32.exe "C:\Users\Big Blue\AppData\Local\enibisovuniwula.dll",Startup O4 - HKCU\..\Run: [PSwitch] C:\Program Files (x86)\Proxy Switcher Standard\ProxySwitcher.exe O4 - HKCU\..\Run: [RGSC] C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent O4 - HKCU\..\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent O4 - HKCU\..\Run: [Google Update] "C:\Users\Big Blue\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [msnmsg] C:\Windows\system32\winlogin.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ZScreen] C:\Program Files\ZScreen\ZScreen.exe O4 - HKCU\..\Run: [Mqqoc] C:\Windows\debug.exe O4 - HKCU\..\Run: [MqsZ] C:\Windows\mdm.exe O4 - HKCU\..\Run: [Mqva] C:\Windows\win.exe O4 - HKCU\..\Run: [Mqqyc] C:\Windows\csrss.exe O4 - HKCU\..\Run: [sjotrfxs] C:\Users\Big Blue\AppData\Local\esgdtjtdu\ipibuelshdw.exe O4 - HKCU\..\Run: [Mquuf] C:\Windows\spoolsv.exe O4 - HKCU\..\Run: [Mqutandows\services.exe] C:\Windows\services.exe O4 - HKCU\..\Run: [LvLYPiejlqfGBLU~1\AppData\Local\Temp\user.exe] C:\Users\BIGBLU~1\AppData\Local\Temp\user.exe O4 - HKCU\..\Run: [Ihelewa] rundll32.exe "C:\Users\Big Blue\AppData\Local\mAEniz.dll",Startup O4 - HKCU\..\Run: [LvLYPiejlotc] C:\Users\BIGBLU~1\AppData\Local\Temp\hexdump.exe O4 - HKCU\..\Run: [LvLYPiejlqvc] C:\Users\BIGBLU~1\AppData\Local\Temp\svchost.exe O4 - HKCU\..\Run: [LvLYPiejlqf] C:\Users\BIGBLU~1\AppData\Local\Temp\user.exe O4 - HKCU\..\Run: [LvLYPiejlqW] C:\Users\BIGBLU~1\AppData\Local\Temp\drweb.exe O4 - HKCU\..\Run: [LvbQciejlqf] C:\Users\Big Blue\AppData\Local\Temp\user.exe O4 - HKCU\..\Run: [LvbQciejlqvc] C:\Users\Big Blue\AppData\Local\Temp\svchost.exe O4 - HKCU\..\Run: [LvbQciejlqW] C:\Users\Big Blue\AppData\Local\Temp\drweb.exe O4 - HKCU\..\Run: [LvbQciejlkc] C:\Users\Big Blue\AppData\Local\Temp\cmd.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - srtest-cdn.systemrequirementslab.com.s3.amazonaws.com O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - upload.facebook.com O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - platformdl.adobe.com O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: wDokanMounter - Unknown owner - C:\Program Files (x86)\Wuala Dokan\mounter.exe O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\ Yahoo! \SoftwareUpdate\YahooAUService.exe -- End of file - 15283 bytes Please help, safe mode is hard on the eyes. |
Big Blue (15973) | ||
| 1134915 | 2010-09-05 07:45:00 | Yup looks like you've got nasties. Disable system restore first Tick these then tick fix checked Close browsers O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: C:\Windows\SysWow64\kadia.dll - {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - (no file) O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [firefox] C:\Windows\system32\winlogin.exe O4 - HKLM\..\Run: [LvbQciejlpe] C:\Users\Big Blue\AppData\Local\Temp\csrss.exe O4 - HKLM\..\Run: [Mqqyc] C:\Windows\csrss.exe O4 - HKLM\..\Run: [Mquuf] C:\Windows\spoolsv.exe O4 - HKLM\..\Run: [MqsZ] C:\Windows\mdm.exe O4 - HKLM\..\Run: [LvbQciejlne] C:\Users\Big Blue\AppData\Local\Temp\lsass.exe O4 - HKLM\..\Run: [Mqqoc] C:\Windows\debug.exe O4 - HKLM\..\Run: [LvLYPiejlotc] C:\Users\BIGBLU~1\AppData\Local\Temp\hexdump.exe O4 - HKLM\..\Run: [LvLYPiejlqvc] C:\Users\BIGBLU~1\AppData\Local\Temp\svchost.exe O4 - HKLM\..\Run: [LvLYPiejlkc] C:\Users\BIGBLU~1\AppData\Local\Temp\cmd.exe O4 - HKLM\..\Run: [Mqurb] C:\Windows\taskmgr.exe O4 - HKLM\..\Run: [LvLYPiejlqf] C:\Users\BIGBLU~1\AppData\Local\Temp\user.exe O4 - HKLM\..\Run: [LvLYPiejlqW] C:\Users\BIGBLU~1\AppData\Local\Temp\drweb.exe O4 - HKLM\..\Run: [Etedacaxo] rundll32.exe "C:\Users\Big Blue\AppData\Local\enibisovuniwula.dll",Startup O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Mqqoc] C:\Windows\debug.exe O4 - HKCU\..\Run: [MqsZ] C:\Windows\mdm.exe O4 - HKCU\..\Run: [Mqva] C:\Windows\win.exe O4 - HKCU\..\Run: [Mqqyc] C:\Windows\csrss.exe O4 - HKCU\..\Run: [sjotrfxs] C:\Users\Big Blue\AppData\Local\esgdtjtdu\ipibuelshdw.exe O4 - HKCU\..\Run: [Mquuf] C:\Windows\spoolsv.exe O4 - HKCU\..\Run: [Mqutandows\services.exe] C:\Windows\services.exe O4 - HKCU\..\Run: [LvLYPiejlqfGBLU~1\AppData\Local\Temp\user.exe] C:\Users\BIGBLU~1\AppData\Local\Temp\user.exe O4 - HKCU\..\Run: [Ihelewa] rundll32.exe "C:\Users\Big Blue\AppData\Local\mAEniz.dll",Startup O4 - HKCU\..\Run: [LvLYPiejlotc] C:\Users\BIGBLU~1\AppData\Local\Temp\hexdump.exe O4 - HKCU\..\Run: [LvLYPiejlqvc] C:\Users\BIGBLU~1\AppData\Local\Temp\svchost.exe O4 - HKCU\..\Run: [LvLYPiejlqf] C:\Users\BIGBLU~1\AppData\Local\Temp\user.exe O4 - HKCU\..\Run: [LvLYPiejlqW] C:\Users\BIGBLU~1\AppData\Local\Temp\drweb.exe O4 - HKCU\..\Run: [LvbQciejlqf] C:\Users\Big Blue\AppData\Local\Temp\user.exe O4 - HKCU\..\Run: [LvbQciejlqvc] C:\Users\Big Blue\AppData\Local\Temp\svchost.exe O4 - HKCU\..\Run: [LvbQciejlqW] C:\Users\Big Blue\AppData\Local\Temp\drweb.exe O4 - HKCU\..\Run: [LvbQciejlkc] C:\Users\Big Blue\AppData\Local\Temp\cmd.exe Reboot Get ccleaner (http://www.ccleaner.com) install it. Untick the yahoo toolbar. Click on run cleaner. Close browsers Get Malwarebytes (http://www.malwarebytes.org) update it then do a full scan. Remove whatever it finds. Then reboot Then post an updated log |
Speedy Gonzales (78) | ||
| 1134916 | 2010-09-05 08:39:00 | Thanks for the fast answer, I wasn't expecting such a thorough response so soon. The problem is completely fixed, I ran sfc /scannow in a command window and that cleared up the Explorer crashing problem, seems I deleted an important file in my haste to get rid of the trojans. I fixed the files you noted and ran the other programs, and now I'm not getting any messages from SpyBot or AdAware about trojans, so I'm assuming it worked. Thanks a ton, I'm definitely remembering these forums next time I have a virus problem. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 2:32:24 AM, on 9/5/2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\vVX3000.exe C:\Program Files (x86)\Proxy Switcher Standard\ProxySwitcher.exe C:\Program Files (x86)\Steam\Steam.exe C:\Program Files (x86)\PowerISO\PWRISOVM.EXE C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Users\Big Blue\AppData\Local\Google\Chrome\Application\chrom e.exe C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe C:\Users\Big Blue\AppData\Local\Google\Chrome\Application\chrom e.exe C:\Users\Big Blue\AppData\Local\Google\Chrome\Application\chrom e.exe C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe C:\Users\Big Blue\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\ Yahoo! \Companion\Installs\cpn1\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: & Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\ Yahoo! \Companion\Installs\cpn1\yt.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\ Yahoo! \Companion\Installs\cpn1\yt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE O4 - HKLM\..\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [PSwitch] C:\Program Files (x86)\Proxy Switcher Standard\ProxySwitcher.exe O4 - HKCU\..\Run: [RGSC] C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent O4 - HKCU\..\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silent O4 - HKCU\..\Run: [Google Update] "C:\Users\Big Blue\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [msnmsg] C:\Windows\system32\winlogin.exe O4 - HKCU\..\Run: [ZScreen] C:\Program Files\ZScreen\ZScreen.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - srtest-cdn.systemrequirementslab.com.s3.amazonaws.com O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - upload.facebook.com O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - platformdl.adobe.com O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: wDokanMounter - Unknown owner - C:\Program Files (x86)\Wuala Dokan\mounter.exe O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\ Yahoo! \SoftwareUpdate\YahooAUService.exe -- End of file - 12037 bytes |
Big Blue (15973) | ||
| 1134917 | 2010-09-05 08:42:00 | Missed one. Tick this entry then tick fix checked O4 - HKCU\..\Run: [msnmsg] C:\Windows\system32\winlogin.exe. Or run ccleaner go to tools / startup. Delete its entry then reboot |
Speedy Gonzales (78) | ||
| 1134918 | 2010-09-05 08:47:00 | Got it. Thanks. | Big Blue (15973) | ||
| 1 | |||||