meganu
1 Nickel

Hijack this log - getting fatal system errors please help

I've been getting fatal system errors, sometimes it happens right after startup, sometimes it's a minute or two after starting internet explorer. It's a blue screen with the message --
STOP: c0000021a {Fatal System Error} The Windows Logon Process System process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down.
 
I also had a lot of popups and other spyware symptoms. So here's what I did yesterday:
- Ran Spybot and rebooted
- Ran Ad-Aware and rebooted
- Ran Symantec Virus Scan...nothing found
- Disk Cleanup
- Cleared startup group -- only item in folder was loader[1]  -- rebooted
- Ran housecall virus scan -- found 61 infected files with TROJ REGGER.F, TROJ WEBSEARCH.A, TROJ STARTPAG.AL, TROJ PURITYSCN.O -- deleted infected files
- Ran symantec security scan -- status At Risk for Virus Protection
- Ran symantec virus scan -- safe, no viruses detected
- Installed AVG anti virus -- ran update and scanned -- 129 viruses found -- Trojan Horse Downloader.VB.S (Bio9f.exe), Trojan horse Downloader.small.13.BJ, Downloader.Istbar.5.A1, Downloader.small.15.AB, Downloader.agent.4.AM, Downloader.VB.4.AG, Downloader.dyfica.2.BA, Regger.A  
- Ran CSWhredder -- Found CWS.Bootconf and CWS.Svchost32
- Installed pop-up stopper
 
I was hoping that would've fixed the problem, but today I got the FSE again and am still getting popups.
Here is my hijackthis log:
 
Logfile of HijackThis v1.99.0
Scan saved at 11:57:50 AM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\documents and settings\us\local settings\temp\L3CyjtTH.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Us\Application Data\eetu.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Us\Local Settings\Temp\PQ2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Adorons Easy Security - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - C:\Program Files\Enigma Software Group\Adorons Easy Security\ETB.dll (file missing)
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: c:\documents and settings\us\local settings\temp\N.exe
O4 - HKLM\..\Run: [qvTe] c:\documents and settings\us\local settings\temp\qvTe.exe
O4 - HKLM\..\Run: [L3CyjtTH] C:\documents and settings\us\local settings\temp\L3CyjtTH.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Us\Application Data\eetu.exe
O4 - HKCU\..\Run: [Fekn] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
 
0 Kudos
19 Replies
zbestwun2001
6 Gallium

Re: Hijack this log - getting fatal system errors please help

You have a plethora or nasty things going on in there.
Between your 015, 01 entries and probobly more you do have problems for sure.
Hang tight and one of the HJT pros will be with you.

Now wonder you system is acting up.

Hang loose
Steve

Message Edited by zbestwun2001 on 12-19-2004 09:38 AM

 

Dell Forum Member Since 2004 but not an employee of Dell

If this answers your question, click
  Yes  

0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

meganu, 

Let's see if we can try and fix this; it might get a little complicated, so, if you have questions at any time, just post back.

First, let start off by looking where no-hijack has looked before:

1.  Downolad Dllcompare, and Killbox to your desktop.

2.  click "Run locate.com".

     When the scan is complete, you will see: Completed the scan, Click Compare to Continue

3. click "Compare".

    In a few minutes it be Completed


4. click "Make a Log of what was Found".

5. Post that back as a reply to this post.


Mike.

 

0 Kudos
meganu
1 Nickel

Re: Hijack this log - getting fatal system errors please help

Thanks for your help Mike! Here's the log:

 

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\en82l1~1.dll   Mon Dec 13 2004   4:43:36p  ..S.R        224,027   218.77 K
C:\WINDOWS\SYSTEM32\enj8l1~1.dll   Mon Dec 20 2004   9:13:58p  ..S.R        223,051   217.82 K
C:\WINDOWS\SYSTEM32\fp6s03~1.dll   Sat Dec 18 2004   6:57:28p  ..S.R        225,665   220.38 K
C:\WINDOWS\SYSTEM32\i6nmlg~1.dll   Sun Dec 19 2004  10:18:00a  ..S.R        226,058   220.76 K
C:\WINDOWS\SYSTEM32\irnml5~1.dll   Tue Dec 21 2004  11:27:48p  ..S.R        224,902   219.63 K
C:\WINDOWS\SYSTEM32\ixmon.dll      Sat Dec 11 2004  10:49:32a  ..S.R        224,027   218.77 K
C:\WINDOWS\SYSTEM32\jhpl400.dll    Wed Dec 15 2004   4:53:58p  ..S.R        223,888   218.64 K
C:\WINDOWS\SYSTEM32\l8p2li~1.dll   Sat Dec 18 2004   7:08:04p  ..S.R        226,180   220.88 K
C:\WINDOWS\SYSTEM32\modmo.dll      Sat Dec 18 2004   6:34:02p  ..S.R        224,902   219.63 K
C:\WINDOWS\SYSTEM32\o0rola~1.dll   Sun Dec 19 2004  12:00:16a  ..S.R        225,025   219.75 K
C:\WINDOWS\SYSTEM32\rkpcfgex.dll   Wed Dec 22 2004   5:15:24p  ..S.R        223,051   217.82 K
C:\WINDOWS\SYSTEM32\u8ru0i~1.dll   Wed Dec 15 2004   6:49:58p  ..S.R        223,888   218.64 K
________________________________________________

1,262 items found:  1,262 files (12 H/S), 0 directories.
Total of file sizes:  247,223,286 bytes    235.77 M

Administrator Account =  True

--------------------End log---------------------

 

0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

meganu,

Now, let's download KillBox, unzip it to your desktop, then:

-----

1.  check(tick) "Replace on reboot"

2.  enter C:\WINDOWS\SYSTEM32\en82l1~1.dll, in "Full Path of File to Delete".

3.  check(tick) "Use Dummy".

4.  click the red-x, just right of where you entered the file to delete.

5.  Confirm that you want to replace the 'bad' file with the 'dummy'.

6.  When prompted to "Reboot Now", select "No".

7. Now repease steps #1 - #6 for the following files:

C:\WINDOWS\SYSTEM32\enj8l1~1.dll
C:\WINDOWS\SYSTEM32\fp6s03~1.dll
C:\WINDOWS\SYSTEM32\i6nmlg~1.dll
C:\WINDOWS\SYSTEM32\irnml5~1.dll
C:\WINDOWS\SYSTEM32\ixmon.dll
C:\WINDOWS\SYSTEM32\jhpl400.dll
C:\WINDOWS\SYSTEM32\l8p2li~1.dll
C:\WINDOWS\SYSTEM32\modmo.dll
C:\WINDOWS\SYSTEM32\o0rola~1.dll
C:\WINDOWS\SYSTEM32\rkpcfgex.dll
C:\WINDOWS\SYSTEM32\u8ru0i~1.dll

C:\Windows\System32\Guard.tmp

After entering the last file, when prompted to "Reboot Now", select "Yes".

-----

You can copy/paste these file name(s) to save on typing.


Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.

Be sure not to reboot your computer while we're working on this, otherwise we'll have a whole new set of program(s) to check for - this thing has a habit of changing the above names on reboot ... Smiley Sad

Mike.

 

0 Kudos
meganu
1 Nickel

Re: Hijack this log - getting fatal system errors please help

Ok, here's the new log:

 

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\en24l1~1.dll   Wed Dec 22 2004  11:17:26p  ..S.R        223,051   217.82 K
C:\WINDOWS\SYSTEM32\i4jqle~1.dll   Thu Dec 23 2004   8:02:48p  ..S.R        224,902   219.63 K
________________________________________________
1,263 items found:  1,263 files (3 H/S), 0 directories.
Total of file sizes:  245,200,186 bytes    233.84 M
Administrator Account =  True
--------------------End log---------------------
 
 
Much shorter this time...that's good, right? Although, when I rebooted the computer, I got two errors:
 
One said, An exception occurred while trying to run ""C:\WINDOWS\System32\SZSSetup.dll",UMonitor"
 
The other one said, An application has generated an exception that could not be handled. Process id=0x7bc(1980), Thread id=0x274(628). Click OK to terminate application. Click cancel to debug the application.
 
I clicked cancel....but what do these errors mean?
 
Thanks!!
Megan
0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

Megan,
 
Yes it does! Your doing great!

We've only gotten to part of the problem, there's still some things running that we need to fix as well, and those can be generating that error. Once they're removed, those error messages should go away. This is one of the toughest problems to fix!

Let's take the next pass...


Now, let's run KillBox again, then:

-----

1.  check(tick) "Replace on reboot"

2.  enter C:\WINDOWS\SYSTEM32\en24l1~1.dll , in "Full Path of File to Delete".

3.  check(tick) "Use Dummy".

4.  click the red-x, just right of where you entered the file to delete.

5.  Confirm that you want to replace the 'bad' file with the 'dummy'.

6.  When prompted to "Reboot Now", select "No".

7. Now repease steps #1 - #6 for the following files:

C:\WINDOWS\SYSTEM32\i4jqle~1.dll

C:\Windows\System32\Guard.tmp

After entering the last file, when prompted to "Reboot Now", select "Yes".

-----

You can copy/paste these file name(s) to save on typing.


I'll see if we can get some of the log entry(s) cleaned up next, then we'll try running this program again to see if we've gotten everything.

Remember, don't reboot your computer until we're done.

Hang in there ... Smiley Happy

Mike.

0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

Megan,
 
Ok, let see what we can do now...
 
 
Reboot your computer into "Safe Mode".
 


Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
 
regsvr32  /u  PQ2.dll
 
It's ok, if these aren't found.
 


Now, let's run HiJackThis, then:
 
1.  click "Config..."
2.  click "Misc Tools"
3.  click "Delete a file on reboot"
4.  browse to, then double-click on each of the file(s) below, one at a time:
 
    C:\Documents and Settings\Us\Application Data\eetu.exe
   
5.  when prompted to "Reboot Now", after selecting each file, select "No".
 


Run HiJackThis and click "Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
 
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
 
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
(If HiJackThis 'crashes' when trying to fix these entry(s), then omit them and try again.)
 
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Us\Local Settings\Temp\PQ2.dll
 
O3 - Toolbar: Adorons Easy Security - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - C:\Program Files\Enigma Software Group\Adorons Easy Security\ETB.dll (file missing)
 
O4 - HKLM\..\Run: c:\documents and settings\us\local settings\temp\N.exe
O4 - HKLM\..\Run: [qvTe] c:\documents and settings\us\local settings\temp\qvTe.exe
O4 - HKLM\..\Run: [L3CyjtTH] C:\documents and settings\us\local settings\temp\L3CyjtTH.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Us\Application Data\eetu.exe
O4 - HKCU\..\Run: [Fekn] C:\WINDOWS\System32\?hkdsk.exe
 
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
 
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
 

Now, with all windows closed except HiJackThis, click "Fix checked".
 

Run "Disk Cleanup" and allow it to remove everything it finds; especially temporary folders.

Reboot your computer normally.


Run DLLCompare again, and post back the results along with a new log.

Mike.

 

 

0 Kudos
meganu
1 Nickel

Re: Hijack this log - getting fatal system errors please help

Mike,
Good news!!! Here's the DLLCompare Log:
 
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found Smiley Happy"
________________________________________________
1,261 items found:  1,261 files, 0 directories.
Total of file sizes:  244,529,238 bytes    233.20 M
Administrator Account =  True
--------------------End log---------------------
 
But I still got one of the errors on startup, the one asking me to click ok to continue and cancel to debug.
 
Does this mean everything is all clear?? If so, how do I keep this from happening again? I have mcafee online virus scan (came with the computer) and spybot, ad-aware, AVG virus scan, and I can go to those websites (housecall and symantec) to run the scans they have. I'm also going to download firefox browser, which I've heard is a lot more secure than IE. Should I buy more virus protection, or spyware protection? Or will all this be enough? Don't want to go through this again!
 
Thanks!!
Megan
0 Kudos
Midnight Star
5 Rhenium

Re: Hijack this log - getting fatal system errors please help

Megan,

Exceptional work! That definitely is great news!

Ok, let's see what we've got left, then we'll move on to that problem. Also on your other questions, let's take those one step at a time; don't buy anything yet. I'll keep this thread open as long as you need, so don't hesitate to ask every question you can possibly think of - trust me.

There's alot of things we can do, but let's start out by posting back a new hijackthis log and let me see what we have left to fix.

Mike.

 

0 Kudos