HijackThis Log

Discussion in 'Windows Desktop Systems' started by Jewelzz, Mar 8, 2006.

  1. Jewelzz

    Jewelzz OSNN Godlike Veteran

    Messages:
    10,977
    Location:
    California
    New PC, haven't done anything to it yet, AV and firewall have been active since I got the damn thing ... Porn has taken over :mad: , I'm using FF and a new tab keeps opening with a porn site. Can you all tell me what I need to get rid of? AV runs clean, finds no virus, SpyBot runs clean also. HELP ME PLEASE!!
     

    Attached Files:

  2. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    YazzleActiveX Control - Uninstall the ActiveX control through Internet Options

    This also stands out... C:\PROGRAM FILES\OEIL\NCMA.EXE

    Is "mHotkey.exe" one of your PC applications for your keyboard?
     
  3. Jewelzz

    Jewelzz OSNN Godlike Veteran

    Messages:
    10,977
    Location:
    California
    You're talking to an idiot, please explain :s

    [edit] As for mHotkey.exe, dunno. I have a MS keyboard *shrug* [/edit]
     
    Last edited: Mar 8, 2006
  4. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    If you check the box next to the entry within Hijackthis and then select remove, it will remove the item as well.

    Matt's suggestion may be more efficient, but that is easier :p
     
  5. falconguard

    falconguard Carbon based lifeform Political User Folding Team

    Messages:
    3,406
    Location:
    SoCal
    mhotkey is a device driver for a keyboard.

    Have HJT fix this
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control)
     
  6. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
  7. Hipster Doofus

    Hipster Doofus Good grief Charlie Brown

    Messages:
    5,920
    Location:
    Melbourne Australia
    Please remember in your suggestions.....................Jewelzz is an IDIOT! :p
     
    Grandmaster likes this.
  8. Jewelzz

    Jewelzz OSNN Godlike Veteran

    Messages:
    10,977
    Location:
    California
    :cry:
     
    rushm001 and Hipster Doofus like this.
  9. Grandmaster

    Grandmaster Electronica Addict Political User Folding Team

    Messages:
    10,574
    Location:
    Santa Clara, CA
    *slaps Hipster Doofus*
     
    Hipster Doofus likes this.
  10. mlakrid

    mlakrid OSNN BASSMASTER Political User Folding Team

    Dont cry Jewelzz, just look at the name of the person calling you an idiot

    Makes me think of a kettle calling the pot black...:laugh:
     
  11. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Not cool, and not even close to being relevant.

    Why post that at all?
     
  12. Grandmaster

    Grandmaster Electronica Addict Political User Folding Team

    Messages:
    10,574
    Location:
    Santa Clara, CA
    It's Hipster...he's allowed.
     
  13. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Ok Jewelzz, do the following:

    Have HJT fix:

    R3 - Default URLSearchHook is missing
    O4 - HKCU\..\Run: [Ealb] "C:\Program Files\oeil\ncma.exe" -vt yax
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
    O20 - Winlogon Notify: winueb32 - C:\WINDOWS\SYSTEM32\winueb32.dll

    Reboot into safemode and delete the following:

    1) Entire contents of C:\Windows\Temp
    2) Entire contents of C:\Docs and Settings\<username>\Local Settings\Temp
    3) The folder C:\Program Files\oeil\

    Reboot into normal mode again, download and install ewido security suite and follow the directions:

    1. Download Ewido security suite from http://download.ewido.net/ewido-setup.exe
    2. After the download is complete, double click on the file to launch the install process.
    3. During installation under the Additional Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
    4. Once installation is complete, launch Ewido by double-clicking the big "E" icon on your desktop. The program will prompt you to update -- click the 'OK' button.
    5. The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
    6. Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
    7. Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
    8. On the main screen, please select 'Complete System Scan' and the scan should begin.
    9. While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to 'Perform action on all infections' in the the box. Doing this, enables the scan to proceed automatically until its completion. Click OK
    10. When the scan is complete, click "Save Report". Your scan results will be saved in a textfile. Please submit that with your next post.

    Please also post a new HJT log along with the ewido report.
     
    bush dogg and Grandmaster like this.
  14. Jewelzz

    Jewelzz OSNN Godlike Veteran

    Messages:
    10,977
    Location:
    California
    Thanks for the help guys! j79zlr, I'll get to your stuff later, have a few things to get done today.
     
  15. Jewelzz

    Jewelzz OSNN Godlike Veteran

    Messages:
    10,977
    Location:
    California
    OK, here's the other log j79zlr asked for.
     

    Attached Files:

  16. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Looks like there was a bunch of stuff it cleaned during that last scan:

    Code:
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CVQWOOA8\srvlbin5[2].exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NJBDKCX7\rdgUS2404[1].exe -> Downloader.Small.ayl : Cleaned with backup
     C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NJBDKCX7\rdgUS2405[1].exe -> Downloader.Small.ayl : Cleaned with backup
     C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NJBDKCX7\srvlbin5[1].exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NJBDKCX7\srvlbin5[2].exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NJBDKCX7\srvlbin5[3].exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QLI3KRPU\mvlsbin2[1].exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UNLFSJAN\srvlbin4[1].exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\Program Files\oeil\ncma.exe -> Downloader.PurityScan.bu : Cleaned with backup
     C:\WINDOWS\system32\oins.exe -> Dropper.PurityScan.ad : Cleaned with backup
     C:\WINDOWS\Temp\win22.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win3B3.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win3B9.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win3BE.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win3C2.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win3D0.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win47.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win67B.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win6A.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win7BB.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win7C0.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\Temp\win7C4.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
     C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup
    
     
  17. Grandmaster

    Grandmaster Electronica Addict Political User Folding Team

    Messages:
    10,574
    Location:
    Santa Clara, CA
    That is really crappy though. Free trojan with a computer.

    Actually it reminds me of when we got a laptop 3-4 years ago from IBM. Came loaded with a boot sector virus.

    If you haven't done anything with it yet, why not just take it back to them and get another one?
     
  18. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    That looks like it should have cleaned everything, please post a new HijackThis log as well.

    Case in point as to why not to use Internet Explorer.
     
  19. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Not guarenteed that she used IE. Might have been planted by the people who built the computer, depending on where it came from.

    Glad to hear it's looking better Jewelzz. I agree with Omar, you should contact the bums who sold you that computer and tear them a new one.
     
  20. Jewelzz

    Jewelzz OSNN Godlike Veteran

    Messages:
    10,977
    Location:
    California
    New HijackThis log ...

    I'll definately be contacting the place where I purchased it and bitch them out. Thanks for all the help guys :)
     

    Attached Files: