Help Preventing

Howdy:

Where did you get your XP cd from??

Murray

Could you post a HJT log please,

Please go Here and unzip the newest version of HJT into a new dedicated folder,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt.
Unzip HijackThis into this folder. Launch Hijack This, then press Scan, and press Save Log

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.
Most things are harmless and needed so don't make any changes.
post a log here please.

Here is my Log File can u help me??

Logfile of HijackThis v1.97.7
Scan saved at 11:09:53 PM, on 9/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetg\services.exe
C:\Documents and Settings\Stephen Boulden\Application Data\y?ti?u.exe
C:\WINDOWS\System32\l?gonui.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\SpyWare Soft\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/greencore/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.v73.us/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.v73.us
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
F1 - win.ini: run=C:\WINDOWS\inetg\services.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {4EFF172C-9C1E-21C7-8757-61557CD87146} - C:\WINDOWS\System32\xpun.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetg\1.01.05.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetg\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetg\services.exe
O4 - HKCU\..\Run: [Ocae] C:\Documents and Settings\Stephen Boulden\Application Data\y?ti?u.exe
O4 - HKCU\..\Run: [Swgenwqj] C:\WINDOWS\System32\l?gonui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=411adf3e50df8bf8b07233aba5349f27677625397d12bb63eef4aed08df57c977d16a13d87aa175cc0a3d2c6b62de914f8e9844dd4b7639727:02a2cd5f5ef86a6a9c5501e7089a2147
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095023505117
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi i0u
Lets see what we can do here,
Looks like you have a lot of programs disabled from your start ups. Please enable them, Want to make sure nothing is hiding on us,

Next
Delete the entire contents of the below Temp folders, but not the TEMP folder itself.

Remove all the files and sub-folders from the below TEMP Folders:

C:\Documents and Settings\ \Local Settings\Temp
C:\temp
C:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .

Do this for users on the machine


Next
Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchportal.info/greencore/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.v73.us/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.v73.us
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
F1 - win.ini: run=C:\WINDOWS\inetg\services.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {4EFF172C-9C1E-21C7-8757-61557CD87146} - C:\WINDOWS\System32\xpun.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetg\1.01.05.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetg\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetg\services.exe
O4 - HKCU\..\Run: [Ocae] C:\Documents and Settings\Stephen Boulden\Application Data\y?ti?u.exe
O4 - HKCU\..\Run: [Swgenwqj] C:\WINDOWS\System32\l?gonui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=411adf3e50df8bf8b07233aba5349f27677625397d12bb63eef4aed08df57c977d16a13d87aa175cc0a3d2c6b62de914f8e9844dd4b7639727:02a2cd5f5ef86a6a9c5501e7089a2147



. Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the following in BOLD

C:\WINDOWS\inetg <<<Delete the folder
C:\Documents and Settings\Stephen Boulden\Application Data\y?ti?u.exe
C:\WINDOWS\System32\l?gonui.exe

Next
While still in safe mode double check all temp files make sure they are clean

Next
Restart your computer.
Please disable System Restore,
How to turn off or turn on Windows XP System Restore


Next:
Go Here BitDefender Scan Online
Run a scan with BitDefender as well, Be sure and Check Auto Clean.

Next:
Go here Trend Micro - Free online virus Scan
Be sure and check Auto Clean before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Next
Download the newer version of HJT, The link is in the above reply,( remove the older version please)
Restart HJT and post back a fresh log please

Ok thank you for all your help so fare. Here is the report from BitDefend I deleted all the files it said it could not fix.


------------------------------------------------------------------------------
C:\WINDOWS\system32\secupdcl.exe infected: Trojan.Downloader.Esepor.H
C:\WINDOWS\system32\secupdcl.exe unable to disinfect
C:\WINDOWS\system32\secupd0312.exe infected: Trojan.Downloader.Esepor.I
C:\WINDOWS\system32\secupd0312.exe unable to disinfect
C:\WINDOWS\system32\secupd050104.exe=>(Upx) infected: Trojan.Downloader.Esepor.M
C:\WINDOWS\system32\secupd050104.exe=>(Upx) unable to disinfect
C:\WINDOWS\smfin32.exe infected: Trojan.Downloader.Small.NE
C:\WINDOWS\smfin32.exe unable to disinfect
C:\Documents and Settings\Stephen Boulden\Desktop\bbhh\UNTIOPsecupd0312.exe infected: Trojan.Downloader.Esepor.I
C:\Documents and Settings\Stephen Boulden\Desktop\bbhh\UNTIOPsecupd0312.exe unable to disinfect
C:\Documents and Settings\Stephen Boulden\Desktop\bbhh\UNTIOPsecupdcl.exe infected: Trojan.Downloader.Esepor.H
C:\Documents and Settings\Stephen Boulden\Desktop\bbhh\UNTIOPsecupdcl.exe unable to disinfect
C:\Documents and Settings\Stephen Boulden\Desktop\bbhh\UNTIOPsecupd050104.exe=>(Upx) infected: Trojan.Downloader.Esepor.M
C:\Documents and Settings\Stephen Boulden\Desktop\bbhh\UNTIOPsecupd050104.exe unable to disinfect
C:\Program Files\Internet Explorer\setup.exe infected: Trojan.Downloader.Small.GV
C:\Program Files\Internet Explorer\setup.exe unable to disinfect
C:\SpyWare Soft\backup-20040915-153032-309.dll=>(Upx) infected: Trojan.Downloader.Winupdt.A
C:\SpyWare Soft\backup-20040915-153032-309.dll=>(Upx) unable to disinfect
C:\FOUND.031\FILE0170.CHK infected: Trojan.Downloader.Dyfuca.J
C:\FOUND.031\FILE0170.CHK unable to disinfect
C:\FOUND.031\FILE0191.CHK infected: Backdoor.Ruledor.B
C:\FOUND.031\FILE0191.CHK unable to disinfect
--------------------------------------------------------------------------

Ok I did everything and here is the new HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 4:40:53 PM, on 9/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Stephen Boulden\Local Settings\Temp\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095023505117
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

After following all your instructions, that you wrote in your first message I have been have alot better luck. It seems like I have fianlly cured the problem. Thank you very much who ever you are. I appreiciate all your help!

- i0u (A.K.A Steve)

Hi Steven,
A couple minor fixes,
Have HJT fix these same way as above,

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Can you give us some info on the following, If you don't know what it is, Should fix it with HJT
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe


Go to windows updates and check for the lates critical and security updates,




Post back a fresh log please, after you have done the above