Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Undertaker


  • This topic is locked This topic is locked
12 replies to this topic

#1 Undertaker

Undertaker

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 31 August 2004 - 06:31 PM

Computer is nearly dead. Cannot update AdAware or Spybot. Any and all help will be greatly appreaciated.

Logfile of HijackThis v1.98.2
Scan saved at 7:13:30 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\svohost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
C:\WINNT\System32\scrgrd.exe
C:\WINNT\svchost.exe
C:\WINNT\System32\Internet.exe
C:\WINNT\System32\enbiei.exe
C:\WINNT\System32\regscan.exe
C:\Program Files\SupraConnect\SupraConnect\fts.exe
C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe
C:\WINNT\System32\syscfg32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\hukvdlzauili.exe
C:\HJT\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.supratelecom.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\System32\svohost.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [System Update] C:\WINNT\System32\xdqcdh.exe
O4 - HKLM\..\Run: [Configuration Loader] syscfg32.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [Windows Media Player] hukvdlzauili.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [load32] C:\WINNT\System32\swchost.exe
O4 - HKLM\..\Run: [NvClipRsv] C:\WINNT\svchost.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINNT\System32\znbwuv.exe
O4 - HKLM\..\Run: [Internet Services] Internet.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Windows Registry Scan] regscan.exe
O4 - HKLM\..\Run: [%FP%SupraConnect fts.exe] "C:\Program Files\SupraConnect\SupraConnect\fts.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Windows Media Player] hukvdlzauili.exe
O4 - HKLM\..\RunServices: [Internet Services] Internet.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Windows Media Player] hukvdlzauili.exe
O4 - HKCU\..\Run: [Internet Services] Internet.exe
O4 - HKCU\..\Run: [%FP%SupraConnect FWPortal.exe] "C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe" -no_dialog
O4 - HKCU\..\RunServices: [Windows Media Player] hukvdlzauili.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - Startup: svchost.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19c8337b779e30...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{987C0A8D-CF16-4D8F-AC20-4410010AA045}: NameServer = 66.19.192.200 216.126.128.40

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 31 August 2004 - 10:28 PM

Oh boy your a mess :thumbsup:


I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Reboot your computer into Safe Mode

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\System32\svohost.exe
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - (no file)
O4 - HKLM\..\Run: [System Update] C:\WINNT\System32\xdqcdh.exe
O4 - HKLM\..\Run: [Configuration Loader] syscfg32.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [Windows Media Player] hukvdlzauili.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [load32] C:\WINNT\System32\swchost.exe
O4 - HKLM\..\Run: [NvClipRsv] C:\WINNT\svchost.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINNT\System32\znbwuv.exe
O4 - HKLM\..\Run: [Internet Services] Internet.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Windows Registry Scan] regscan.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Windows Media Player] hukvdlzauili.exe
O4 - HKLM\..\RunServices: [Internet Services] Internet.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Windows Media Player] hukvdlzauili.exe
O4 - HKCU\..\Run: [Internet Services] Internet.exe
O4 - HKCU\..\RunServices: [Windows Media Player] hukvdlzauili.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - Startup: svchost.exe
O4 - Global Startup: winlogin.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19c8337b779e30...ip/RdxIE601.cab



Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\System32\svohost.exe

O4 - HKLM\..\Run: [System Update] C:\WINNT\System32\xdqcdh.exe
smsc.exe <--- Search for and delete this file
wuamgrd.exe <--- Search for and delete this file
C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
C:\WINNT\System32\swchost.exe
C:\WINNT\svchost.exe
C:\WINNT\System32\znbwuv.exe
C:\WINNT\System32\Internet.exe
C:\WINNT\System32\enbiei.exe
C:\WINNT\svchost.exe
C:\WINNT\System32\regscan.exe
C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
C:\WINNT\System32\svohost.exe
C:\WINNT\System32\scrgrd.exe
C:\WINNT\System32\syscfg32.exe
C:\WINNT\System32\hukvdlzauili.exe

Reboot your computer to go back to normal mode and post a new log.

#3 Undertaker

Undertaker
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 02 September 2004 - 09:58 AM

Well, already performance is GREATLY inproved! :thumbsup:
Some problems I had:

When I tried to delete C:\WINNT\System32\svohost.exe -- I was told access denied (I was in safe mode)

While fixing "04 - Global Startup: winlogin.exe" -- Hijack This said that the application was running and that I should use task manager to close it then run HJT again to fix. When I opened Task Manager, winlogin was not there. (I was in safe mode doing this also)

Now that performance is better, should I now try to get the latest updates for AdAware and SpyBot?

Here is the new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 10:56:13 AM, on 9/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\scvhost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
C:\Program Files\SupraConnect\SupraConnect\fts.exe
C:\WINNT\svchost.exe
C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.supratelecom.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [%FP%SupraConnect fts.exe] "C:\Program Files\SupraConnect\SupraConnect\fts.exe"
O4 - HKLM\..\Run: [avserve2.exe] C:\WINNT\avserve2.exe
O4 - HKLM\..\Run: [NvClipRsv] C:\WINNT\svchost.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [%FP%SupraConnect FWPortal.exe] "C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe" -no_dialog
O4 - Global Startup: winlogin.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{987C0A8D-CF16-4D8F-AC20-4410010AA045}: NameServer = 66.19.192.200 216.126.128.40



Thanks Grinler

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 02 September 2004 - 10:09 AM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Press control-alt-delete to get into task manager and end the following tasks if they are running:

7.tmp.exe
svchost.exe
avserve2.exe

THen delete the following files:

C:\DOCUMENTS AND SETTINGS\Matthew\LOCAL SETTINGS\Temp\7.tmp.exe
C:\WINNT\avserve2.exe
C:\WINNT\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Then run Hijackthis and fix the following:

O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINNT\avserve2.exe
O4 - HKLM\..\Run: [NvClipRsv] C:\WINNT\svchost.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - Global Startup: winlogin.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

Reboot and post a new log

#5 Undertaker

Undertaker
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 02 September 2004 - 11:32 AM

Everything went well except...

In TaskManager, there were two svchost processes running (I was in safe mode). When I tried to end the first one, it immediately came back. When I tried to end the other one, an error message appeared and the computer started a 60 second shutdown.

Here is the new HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 12:30:07 PM, on 9/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\scvhost.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SupraConnect\SupraConnect\fts.exe
C:\WINNT\System32\winu32.exe
C:\Program Files\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.supratelecom.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [%FP%SupraConnect fts.exe] "C:\Program Files\SupraConnect\SupraConnect\fts.exe"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINNT\System32\psgur.exe
O4 - HKLM\..\Run: [update service] winu32.exe
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [update service] winu32.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [%FP%SupraConnect FWPortal.exe] "C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe" -no_dialog
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{987C0A8D-CF16-4D8F-AC20-4410010AA045}: NameServer = 66.19.192.200 216.126.128.40

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 02 September 2004 - 11:45 AM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Reboot your computer into Safe Mode


Press control-alt-delete to get into task manager and end these tasks if they are running:
7.tmp.exe
psgur.exe
scvhost.exe (Mind this spelling as there are files that are legitimate and have the same spelling)
winu32.exe

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINNT\System32\psgur.exe
O4 - HKLM\..\Run: [update service] winu32.exe
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [update service] winu32.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe


Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINNT\System32\winu32.exe
scvhost.exe <- Search for and delete this file.
C:\WINNT\System32\psgur.exe
C:\DOCUMENTS AND SETTINGS\Matthew\LOCAL SETTINGS\Temp\7.tmp.exe

Reboot your computer to go back to normal mode and post a new log.

#7 Undertaker

Undertaker
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 02 September 2004 - 11:47 AM

Just a quick update: SpyBot keeps seeing wuamgrd.exe trying to be added to the System Startup global entry. I have to click "deny change" twice to make it leave. About two minutes later, it tries to return

#8 Undertaker

Undertaker
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 02 September 2004 - 12:36 PM

I just found several entries in the Ignore List. (Probably should have checked the earlier :thumbsup: . Sorry)

Here is the new log.

Logfile of HijackThis v1.98.2
Scan saved at 1:35:57 PM, on 9/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SupraConnect\SupraConnect\fts.exe
C:\Program Files\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\winsys.exe
C:\WINNT\System32\smsc.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.supratelecom.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [%FP%SupraConnect fts.exe] "C:\Program Files\SupraConnect\SupraConnect\fts.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot S&D\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [%FP%SupraConnect FWPortal.exe] "C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe" -no_dialog
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{987C0A8D-CF16-4D8F-AC20-4410010AA045}: NameServer = 66.19.192.200 216.126.128.40

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 02 September 2004 - 03:31 PM

I want you to click on start, then run, and type msconfig and press enter.

Then click on startup tab, and uncheck teatimer. Reboot and post a new log.

We will reenable teatimer later.

#10 Undertaker

Undertaker
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 03 September 2004 - 01:02 PM

teatimer is off. Let me provide some info. I have three scvhost.exe files on the puter. When I attempt to delete them, I'm told that they can not be deleted due to not being able to read from source file.

Also, you have been asking to delete 7.tmp.exe. That file is not there, but, 8 9 and 13.tmp.exe ARE THERE. Don't know if that matters but thought you should know.

New HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 2:02:16 PM, on 9/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SupraConnect\SupraConnect\fts.exe
C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe
C:\WINNT\System32\winsys.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.supratelecom.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [%FP%SupraConnect fts.exe] "C:\Program Files\SupraConnect\SupraConnect\fts.exe"
O4 - HKLM\..\Run: [WindowsRegKey update] winsys.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [WindowsRegKey update] winsys.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [%FP%SupraConnect FWPortal.exe] "C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe" -no_dialog
O4 - HKCU\..\Run: [WindowsRegKey update] winsys.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{987C0A8D-CF16-4D8F-AC20-4410010AA045}: NameServer = 66.19.192.200 216.126.128.40

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 04 September 2004 - 07:06 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [WindowsRegKey update] winsys.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] winsys.exe
O4 - HKCU\..\Run: [WindowsRegKey update] winsys.exe


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)
c:\windows\system32winsys.exe

Reboot your computer to go back to normal mode and then:

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Then post a new log

#12 Undertaker

Undertaker
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 11 September 2004 - 05:56 PM

I did what you said. Did not find the file Windows\system32winsys.exe , However, the following file was there: C:\WINNT\system32\winsys.exe

Here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 6:55:42 PM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\SYSTEM\winlogon.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SupraConnect\SupraConnect\fts.exe
C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\timeupdate.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.supratelecom.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [%FP%SupraConnect fts.exe] "C:\Program Files\SupraConnect\SupraConnect\fts.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINNT\System32\mmobm.exe
O4 - HKLM\..\Run: [Windows Registry Scan] timeupdate.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] timeupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [%FP%SupraConnect FWPortal.exe] "C:\Program Files\SupraConnect\SupraConnect\FWPortal.exe" -no_dialog
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{987C0A8D-CF16-4D8F-AC20-4410010AA045}: NameServer = 66.19.192.200 216.126.128.40

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 PM

Posted 11 September 2004 - 06:02 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINNT\System32\mmobm.exe
O4 - HKLM\..\Run: [Windows Registry Scan] timeupdate.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] timeupdate.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\DOCUME~1\Matthew\LOCALS~1\Temp\7.tmp.exe
C:\WINNT\System32\mmobm.exe
timeupdate.exe <--- Search for and delete this file

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users