Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

win32.trojan.rx (hijackthis log as well)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

win32.trojan.rx (hijackthis log as well)

Unread postby remo_tan » May 24th, 2007, 5:15 pm

ok so my background is red, i get a bunch of popups and my pc is slower than a snail.



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:15:17 PM, on 5/24/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\msrr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\remo\My Documents\killemall.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\SERVICES.EXE
O2 - BHO: (no name) - {1581909B-1C30-496A-B4A9-BA792FB51B8A} - C:\WINDOWS\System32\gebcb.dll
O2 - BHO: C:\WINDOWS\System32\gsjeie83df.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\gsjeie83df.dll (file missing)
O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\hgggedb.dll
O2 - BHO: Hook Class - {DBA0F35F-BCD6-4602-863A-96893E4DE018} - C:\WINDOWS\System32\repl.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\System32\ehmdjvsf.dll",realset
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msrr.exe" /background
O4 - HKCU\..\Run: [Pxwgt] "C:\Program Files\Common Files\?dobe\?ttrib.exe"
O4 - HKCU\..\Run: [A00F5427A5D.exe] C:\DOCUME~1\remo\LOCALS~1\Temp\_A00F5427A5D.exe
O4 - HKCU\..\Run: [A00F5427B18.exe] C:\DOCUME~1\remo\LOCALS~1\Temp\_A00F5427B18.exe
O4 - HKCU\..\Run: [A00F5429C2D.exe] C:\DOCUME~1\remo\LOCALS~1\Temp\_A00F5429C2D.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Policies\Explorer\Run: [{D4B38262-0961-1033-0223-040303230001}] "C:\Program Files\Common Files\{D4B38262-0961-1033-0223-040303230001}\Update.exe" mc-110-12-0000627
O4 - HKCU\..\Policies\Explorer\Run: [{D4B38262-0960-1033-0223-040303230001}] "C:\Program Files\Common Files\{D4B38262-0960-1033-0223-040303230001}\Update.exe" mc-110-12-0000627
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{D4B38262-0960-1033-0223-040303230001}] "C:\Program Files\Common Files\{D4B38262-0960-1033-0223-040303230001}\Update.exe" mc-110-12-0000627 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{D4B38262-0961-1033-0223-040303230001}] "C:\Program Files\Common Files\{D4B38262-0961-1033-0223-040303230001}\Update.exe" mc-110-12-0000627 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{D4B38262-0960-1033-0223-040303230001}] "C:\Program Files\Common Files\{D4B38262-0960-1033-0223-040303230001}\Update.exe" mc-110-12-0000627 (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: gebcb - C:\WINDOWS\System32\gebcb.dll
O20 - Winlogon Notify: hgggedb - C:\WINDOWS\SYSTEM32\hgggedb.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\System32\ssqrq.dll (file missing)
O20 - Winlogon Notify: __c0011A64 - C:\WINDOWS\System32\__c0011A64.dat
O20 - Winlogon Notify: __c005E521 - C:\WINDOWS\System32\__c005E521.dat
O20 - Winlogon Notify: __c00C9F90 - C:\WINDOWS\System32\__c00C9F90.dat
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\zvqhx.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Fdjskie8 jf8e - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\gsjeie83df.dll (file missing)
O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\zvqhx.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6367 bytes
------


please help, someone?
remo_tan
Active Member
 
Posts: 2
Joined: May 24th, 2007, 5:09 pm
Advertisement
Register to Remove

Unread postby remo_tan » May 24th, 2007, 5:18 pm

p.s. killemall is hijackthis renamed
remo_tan
Active Member
 
Posts: 2
Joined: May 24th, 2007, 5:09 pm

Unread postby amateur » May 24th, 2007, 6:30 pm

Hello and welcome to MR :)

I am sorry to inform you that this is a very badly infected system and I am not surprised because you are running an unpatched Windows XP. I cannot see the version of the Internet Explorer either. Any attempts to clean this up will be futile as you'll get reinfected within minutes you are on the internet again.

Validate your copy of Windows XP here : http://www.microsoft.com/resources/howt ... fault.mspx
Click on "Run the Windows Validation Assistant". Let me know the results.

Then, get SP1a here : http://www.microsoft.com/windowsxp/down ... fault.mspx

You should also get SP2, but NOT NOW, rather only after your machine is clean.

After you've done that, please uninstall HijackThis V2.00 using Add/Remove Programs in Control Panel. What you have now is a Beta version.

You can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from http://downloads.malwareremoval.com/HJTsetup.exe.

Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby NonSuch » June 5th, 2007, 4:54 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27228
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 15 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware