borked

Terry

is a word i would use to describe my cousins pc.

hijack this wrote:

Logfile of HijackThis v1.99.1
Scan saved at 18:49:43, on 28/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Storage RW\shwicon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iol.ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\System32\tmp157.tmp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {c1a25881-5251-42b4-9989-e94dc347fc69} - C:\WINDOWS\system32\kbd212.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\WinMediaCodec\iesplugin.dll (file missing)
O3 - Toolbar: Protection Bar - {44d22a64-2399-4edf-8b32-f2c729c1e8a7} - C:\Program Files\X Password Generator\iesplugin.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [697B210F] C:\WINDOWS\System32\jllotqk.exe
O4 - HKLM\..\Run: [jY0Ô@Ô;Áß]§ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [¢‰¸K0Ô@Ô;Áß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [¢‰¸K0Ô@Ô;Áß]§ú"ü‰¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [¢‰¸K0ÔÁß]§ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [4763iu1l] C:\WINDOWS\System32\4763iu1l.exe
O4 - HKLM\..\Run: [¢‰¸K0+¿pÇL]ùÿàaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [¢‹¹ÏóËÃ4}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [¢‹¹ÏóËÃ4}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [jY0+¿pÇL]ùÿàaîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jbyiplhd.exe
O4 - HKLM\..\Run: [uwa6pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\uwa6pcw.exe" -c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MainDownloads] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:MainDownloads:t
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: MainDownloads - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\MainDownloads (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01C17CA5-D863-42ED-B8DD-C3E325A22E4E} (EGDownload Class) - http://www.vizit.us/private/downloadcenter/downloader/EGDownloaderXP.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {1230CB21-C88D-11CF-0000-000000000000} - http://www.browserupdate.co.uk/cabs/ukiq0037/ukiq0037.cab
O16 - DPF: {6AA93DF6-6757-4338-9087-F7601DE18402} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1040_XP.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162837301468
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B914A3C5-80F5-43C1-A4A3-C4211921DC7B} - http://akamai.downloadv3.com/binaries/IA/netdtc32_EN_XP.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt03.com/dialer/internazionale_ver11.CAB
O16 - DPF: {E3943A24-2F83-4505-9AE5-F705E81B50CB} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1055_XP.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/sp3.02r/spyspottercabinstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: docent2 - docent2.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kbd212 - C:\WINDOWS\SYSTEM32\kbd212.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

all help appreciated. s

Terry

also, running Ad-Aware shuts the pc down almost immediately.
it shows that 1 module has been found and then the pc restarts.

Ruu_Old

It is absolutely riddled with viruses. First one I spotted was the one from the line below. Also there is an awful lot of highly suspicous entries in the Run section. Can you get into Safe Mode? If so then run an anti-virus scan from there. Open msconfig.exe from the Run box and untick everything in there to start with.
When it shuts down, you are getting that box that counts down? I personally would just format and start again.

O4 - HKLM\..\Run: [windows auto update] msblast.exe

MS Blaster removal instructions.

DonkeyStyle \o/

I downloaded some of the linked files there... Norton detected adware and dialers in the ones I randomly selected.
My policy is to reformat and reinstall the OS once it's been compromised by any malicious/dodgy software... once you've had nasty software running on your PC, even after you remove it - you still don't know what other kinds of crap it's downloaded or modified on the system.
I wouldn't bother trying to clean this PC, just backup the essentials and do a reformat.

Terry

Ruu wrote:

Can you get into Safe Mode?

yes

If so then run an anti-virus scan from there.

before or after i do this?

Open msconfig.exe from the Run box and untick everything in there to start with.

When it shuts down, you are getting that box that counts down? I personally would just format and start again.

ont getting the countdown. it just shuts down instantly.
i would format and start again, but i don't have an install disc. asking my cousin where it is would be pointless. i doubt he even got one with it.

Ruu_Old

In Safe mode, untick all of the entries in the Startup tab under msconfig.exe first and then run your anti virus scan. See if you get anywhere after that.

Terry

what's an anti-virus programme?

i ****ing told him to buy one a few weeks ago and he didn't. the norton one no longer works, so i'm downloading a trial version of the new McAfee thingy to see if it helps.

thanksanyway folks.
i'm off to see if he has an install disc for this.

Ruu_Old

Download this one, AVG is free and works better than most. G'luck.

is_that_so

You should also get hold of XP service pack 2. Smit-Rem may help you. Run it in safe mode as well and finally get Search And Destroy

Edit: Don't forget to uninstall Norton.

subway

get windows live one care and defender on to it instead of norton or mcafee.
type shutdown -a into the run box to stop it restarting.
get the machine updated and patched while onecare and defender are doing there thing

after that uninstall everything and delete everything that isnt needed
run an app called cleanup! that you can find on google
run another virus scan and you should be nearly there

post back your jijack this log after all the above

kmb

run mcafee stinger...

http://www.scanwith.com/download/McAfee_AVERT_Stinger.htm

regards

kieran