doorway Posted October 26, 2008 Report Share Posted October 26, 2008 hey -I came across this site after desperately looking to fix these issues. I hope you guys can help me rid of these awful malwares. MSServer, cmds, 980b7ac and link adds.I've used hijackthis and msconfig to disable them but they would not go away. i'm using vista ultimate - ran it as administrator, still would not go away. please help.here's the log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:36:43 PM, on 10/26/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\magicBlock\magicBlock.exeC:\Users\Shlomy\AppData\Roaming\mjusbsp\magicJack.exeC:\Windows\system32\wuauclt.exeC:\Windows\system32\rundll32.exeC:\Windows\Explorer.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\IEUser.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Windows\ImageShackToolbar\ImageShackToolbar.dllO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [cdloader] "C:\Users\Shlomy\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACKO4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Shlomy\AppData\Local\Temp\khFyxwxU.dll,cO4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Shlomy\AppData\Local\Temp\byXOfcBu.dll,#1O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Startup: magicBlock.lnk = C:\Program Files\magicBlock\magicBlock.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Post Image to Blog - res://C:\Windows\ImageShackToolbar\ImageShackToolbar.dll/5003O8 - Extra context menu item: Tag This Image - res://C:\Windows\ImageShackToolbar\ImageShackToolbar.dll/5002O8 - Extra context menu item: Transload Image to ImageShack - res://C:\Windows\ImageShackToolbar\ImageShackToolbar.dll/5004O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\Windows\ImageShackToolbar\ImageShackToolbar.dll/5000O8 - Extra context menu item: Upload Image to ImageShack - res://C:\Windows\ImageShackToolbar\ImageShackToolbar.dll/5001O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dllO9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exeO15 - Trusted Zone: http://toolbar.imageshack.usO15 - Trusted Zone: my.magicjack.comO16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cabO16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exeO23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe--End of file - 6147 bytes Link to post Share on other sites
Rorschach112 Posted October 27, 2008 Report Share Posted October 27, 2008 HelloDisable resident protections (Antivirus...); you'll re-enable them after the scanDownload Lop S&D < hereDouble-click Lop S&D.exeChoose the language, then choose Option 1 (Search)Wait till the end of the scanPost the log which is created: (%SystemDrive%\lopR.txt) Link to post Share on other sites
Recommended Posts