Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something bad here?


  • This topic is locked This topic is locked
7 replies to this topic

#1 donnar

donnar

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 25 March 2005 - 05:25 PM

Have cleaned my friend's computer to the best of my knowledge, but the Hijaack log still has some questionable items. Appreciate any input.


Logfile of HijackThis v1.99.1
Scan saved at 9:44:20 AM, on 3/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ebvimlix6.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sharp\Qtopia Desktop\dcopserver.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Catherine Belding\My Documents\Hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {D99FE7AA-8D99-F5D0-D9E4-312DDDBB63BA} - (no file)
O2 - BHO: (no name) - {ED2AD7A3-82A3-3839-4D0E-5324EAD9C029} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Global Startup: qtopiatray.lnk = C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O23 - Service: iwntbjvgpmvi (opknucql6) - Unknown owner - C:\WINDOWS\System32\ebvimlix6.exe


Thanks,

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 AM

Posted 25 March 2005 - 11:29 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {D99FE7AA-8D99-F5D0-D9E4-312DDDBB63BA} - (no file)
O2 - BHO: (no name) - {ED2AD7A3-82A3-3839-4D0E-5324EAD9C029} - (no file)
O23 - Service: iwntbjvgpmvi (opknucql6) - Unknown owner - C:\WINDOWS\System32\ebvimlix6.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\ebvimlix6.exe

Reboot your computer to go back to normal mode and post a new log.

#3 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 26 March 2005 - 12:57 PM

Followed your instructions. Below is the second Hijack Log. Strangely, I also found the following file:

C:\WINDOWS\System32\ebvimlix5.exe

Suspect it will need to be deleted as well, especially since the two BHO files are once again in the Log. Awaiting your instructions on that, though.


Logfile of HijackThis v1.99.1

Scan saved at 12:48:49 PM, on 3/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Catherine Belding\My Documents\Hijack\HijackThis.exe
C:\Program Files\Sharp\Qtopia Desktop\dcopserver.exe

O2 - BHO: (no name) - {D99FE7AA-8D99-F5D0-D9E4-312DDDBB63BA} - (no file)
O2 - BHO: (no name) - {ED2AD7A3-82A3-3839-4D0E-5324EAD9C029} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Global Startup: qtopiatray.lnk = C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 AM

Posted 26 March 2005 - 01:23 PM

You can delete this:

C:\WINDOWS\System32\ebvimlix5.exe

And fix these two entries in safe mode:

O2 - BHO: (no name) - {D99FE7AA-8D99-F5D0-D9E4-312DDDBB63BA} - (no file)
O2 - BHO: (no name) - {ED2AD7A3-82A3-3839-4D0E-5324EAD9C029} - (no file)

Reboot and post a las tlog

#5 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 26 March 2005 - 02:22 PM

Those BHO's will not go away. I did as you instructed. Below is the Hijack Log which I ran in Safe Mode after I clicked to fix the two files:

Logfile of HijackThis v1.99.1
Scan saved at 2:08:33 PM, on 3/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Catherine Belding\My Documents\Hijack\HijackThis.exe

O2 - BHO: (no name) - {D99FE7AA-8D99-F5D0-D9E4-312DDDBB63BA} - (no file)
O2 - BHO: (no name) - {ED2AD7A3-82A3-3839-4D0E-5324EAD9C029} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Global Startup: qtopiatray.lnk = C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll

I also have a log I made after a normal restart:

Logfile of HijackThis v1.99.1
Scan saved at 2:14:21 PM, on 3/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sharp\Qtopia Desktop\dcopserver.exe
C:\Documents and Settings\Catherine Belding\My Documents\Hijack\HijackThis.exe

O2 - BHO: (no name) - {D99FE7AA-8D99-F5D0-D9E4-312DDDBB63BA} - (no file)
O2 - BHO: (no name) - {ED2AD7A3-82A3-3839-4D0E-5324EAD9C029} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Global Startup: qtopiatray.lnk = C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/platypus/miniclipGameLoader.dll

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 AM

Posted 26 March 2005 - 11:19 PM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Then right click on the following keys and delete them :

{D99FE7AA-8D99-F5D0-D9E4-312DDDBB63BA}
{ED2AD7A3-82A3-3839-4D0E-5324EAD9C029}

Then reboot and post a new log

#7 donnar

donnar
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 27 March 2005 - 12:01 AM

Great! That worked. Here's the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:49 PM, on 3/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Catherine Belding\My Documents\Hijack\HijackThis.exe
C:\Program Files\Sharp\Qtopia Desktop\dcopserver.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Global Startup: qtopiatray.lnk = C:\Program Files\Sharp\Qtopia Desktop\qtopiatray.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:38 AM

Posted 27 March 2005 - 02:50 PM

Log looks clean...great job!

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users