[HijackThis Log.txt] someone help me please

TedBundy · Dec 6, 2004

never had to use this before. but my taskmanager (ctrl+alt+del) window closes as soon as i open it and my RUN>MSCONFIG doesn't work. here's my log. what is bad here:

Logfile of HijackThis v1.97.7
Scan saved at 10:05:49 PM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\documents and settings\brendanmcdevitt\local settings\temp\vnCgNrpji.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\system32\kpwohlrjqnmu.exe
C:\WINDOWS\system32\rjuiivcx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\BrendanMcDevitt\Application Data\otdh.exe
C:\WINDOWS\system32\r?ndll32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
D:\Downloads\HijackThis.exe

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {BAB48D07-409E-3F1A-EC5C-4876656F5797} - C:\WINDOWS\system32\fcaz.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vnCgNrpji.exe] C:\documents and settings\brendanmcdevitt\local settings\temp\vnCgNrpji.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Winsock driver] kpwohlrjqnmu.exe
O4 - HKLM\..\Run: [2S6DwCRC.exe] C:\documents and settings\brendanmcdevitt\local settings\temp\2S6DwCRC.exe
O4 - HKLM\..\Run: [aupiar] C:\WINDOWS\system32\rjuiivcx.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Cccr] C:\Documents and Settings\BrendanMcDevitt\Application Data\otdh.exe
O4 - HKCU\..\Run: [Tqq] C:\WINDOWS\system32\r?ndll32.exe
O4 - HKCU\..\RunOnce: [Winsock driver] kpwohlrjqnmu.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm00686US
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101757205561
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Haunt · Dec 6, 2004

haxed by teh interweb

TedBundy · Dec 6, 2004

Haunt said:
haxed by teh interweb

so very true.

KnightMare · Dec 6, 2004

Dangerdoggie · Dec 6, 2004

Web Rebates,BullsEye Network ... aw fuck it, just reformat.

D-Sect · Dec 6, 2004

more bad than good..

TedBundy · Dec 6, 2004

Dangerdoggie said:
Web Rebates,BullsEye Network ... aw fuck it, just reformat.

god i just did that
oh well.

kazan · Dec 6, 2004

r?ndll32

.... that doesnt sound good.

D-Sect · Dec 6, 2004

Welp - My bud was jocked w/ junkware and I said "Don't say YES to those things on porn sites" and he said,
"yeah - I always say yes"

Just say NO

Backslash · Dec 6, 2004

Man, that sucks.

TedBundy · Dec 6, 2004

pest patrol is only finding cookies and shit

Yetskii · Dec 6, 2004

TedBundy said:
never had to use this before. but my taskmanager (ctrl+alt+del) window closes as soon as i open it and my RUN>MSCONFIG doesn't work. here's my log. what is bad here:

Logfile of HijackThis v1.97.7
Scan saved at 10:05:49 PM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\documents and settings\brendanmcdevitt\local settings\temp\vnCgNrpji.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\system32\kpwohlrjqnmu.exe
C:\WINDOWS\system32\rjuiivcx.exe
C:\Documents and Settings\BrendanMcDevitt\Application Data\otdh.exe
C:\WINDOWS\system32\r?ndll32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {BAB48D07-409E-3F1A-EC5C-4876656F5797} - C:\WINDOWS\system32\fcaz.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime no need to load
O4 - HKLM\..\Run: [vnCgNrpji.exe] C:\documents and settings\brendanmcdevitt\local settings\temp\vnCgNrpji.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Winsock driver] kpwohlrjqnmu.exe
O4 - HKLM\..\Run: [2S6DwCRC.exe] C:\documents and settings\brendanmcdevitt\local settings\temp\2S6DwCRC.exe
O4 - HKLM\..\Run: [aupiar] C:\WINDOWS\system32\rjuiivcx.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKCU\..\Run: [Cccr] C:\Documents and Settings\BrendanMcDevitt\Application Data\otdh.exe
O4 - HKCU\..\Run: [Tqq] C:\WINDOWS\system32\r?ndll32.exe
O4 - HKCU\..\RunOnce: [Winsock driver] kpwohlrjqnmu.exe
O
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm00686US

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

Thats there is a good start......get rid of the files on disk, look for system type files that are weird named from the same date/time...delete those......

50 bucks please.....

Yetskii · Dec 6, 2004

oh yeah, delete all temp files and internet temp files.

20 more bucks please

kazan · Dec 6, 2004

TedBundy said:
pest patrol is only finding cookies and shit

... Use something worthwhile, like AdAware.

ktm · Dec 6, 2004

Dude, you have quite a few programs running from your user temp directory....not good. Secondly, you have a lotof shit in that log file.

Spybot is your friend. It will at least identify the culprits and allow you to track them down.

GeneralHell · Dec 6, 2004

TedBundy said:
never had to use this before. but my taskmanager (ctrl+alt+del) window closes as soon as i open it and my RUN>MSCONFIG doesn't work. here's my log. what is bad here:

Logfile of HijackThis v1.97.7
Scan saved at 10:05:49 PM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\documents and settings\brendanmcdevitt\local settings\temp\vnCgNrpji.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\system32\kpwohlrjqnmu.exe
C:\WINDOWS\system32\rjuiivcx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\BrendanMcDevitt\Application Data\otdh.exe
C:\WINDOWS\system32\r?ndll32.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
D:\Downloads\HijackThis.exe

[STRIKE]R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)[/STRIKE]
[STRIKE]R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll[/STRIKE]
[STRIKE]O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll[/STRIKE]
[STRIKE]O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll[/STRIKE]
[STRIKE]O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll[/STRIKE]
[STRIKE]O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll[/STRIKE]
[STRIKE]O2 - BHO: (no name) - {BAB48D07-409E-3F1A-EC5C-4876656F5797} - C:\WINDOWS\system32\fcaz.dll[/STRIKE]
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
[STRIKE]O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime[/STRIKE]
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
[STRIKE]O4 - HKLM\..\Run: [vnCgNrpji.exe] C:\documents and settings\brendanmcdevitt\local settings\temp\vnCgNrpji.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [Winsock driver] kpwohlrjqnmu.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [2S6DwCRC.exe] C:\documents and settings\brendanmcdevitt\local settings\temp\2S6DwCRC.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [aupiar] C:\WINDOWS\system32\rjuiivcx.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe[/STRIKE]
[STRIKE]O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe[/STRIKE]
[STRIKE]O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background[/STRIKE]
[STRIKE]O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl[/STRIKE]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
[STRIKE]O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe[/STRIKE]
[STRIKE]O4 - HKCU\..\Run: [Cccr] C:\Documents and Settings\BrendanMcDevitt\Application Data\otdh.exe[/STRIKE]
[STRIKE]O4 - HKCU\..\Run: [Tqq] C:\WINDOWS\system32\r?ndll32.exe[/STRIKE]
[STRIKE]O4 - HKCU\..\RunOnce: [Winsock driver] kpwohlrjqnmu.exe[/STRIKE]
[STRIKE]O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe[/STRIKE]
[STRIKE]O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE[/STRIKE]
[STRIKE]O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm00686US[/STRIKE]
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
[STRIKE]O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm[/STRIKE]
[STRIKE]O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)[/STRIKE]
[STRIKE]O9 - Extra button: AIM (HKLM)[/STRIKE]
[STRIKE]O9 - Extra button: Messenger (HKLM)[/STRIKE]
[STRIKE]O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)[/STRIKE]
[STRIKE]O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab[/STRIKE]
[STRIKE]O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101757205561[/STRIKE]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Kill those in safe mode. Run AdAware in safe mode too. Also in safe mode run msconfig, find all the weird named ones with files in c:\ or c:\windows and delete those files. Most will be .exe files.

Soldevi · Dec 6, 2004

are you TSI?

x0rcist · Dec 6, 2004

GeneralHell said:
Kill those in safe mode. Run AdAware in safe mode too. Also in safe mode run msconfig, find all the weird named ones with files in c:\ or c:\windows and delete those files. Most will be .exe files.

That'll do it. You don't only have to use AdAware, try Spybot S&D, I like that one too

Dangerdoggie · Dec 6, 2004

D-Sect said:
Welp - My bud was jocked w/ junkware and I said "Don't say YES to those things on porn sites" and he said,
"yeah - I always say yes"

Just say NO

Well, the tricky bastards still have their way of slamming you - it's best to stay away from porn sites, good luck with that one though lol.

28K Modem · Dec 6, 2004

Ted Bundy has just been having a terrible week so far.

But hey, if you're gonna die I say fuck it.

[HijackThis Log.txt] someone help me please

More options

TedBundy

Haunt

TedBundy

KnightMare

Dangerdoggie

D-Sect

TedBundy

kazan

D-Sect

Backslash

TedBundy

Yetskii

Contributor

Yetskii

Contributor

kazan

ktm

GeneralHell

Soldevi

x0rcist

Dangerdoggie

28K Modem

Contributor