Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - help!


  • Please log in to reply
10 replies to this topic

#1 hiwksi

hiwksi

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 30 July 2005 - 04:26 PM

Trying to clean up HJT logfile after PSGuard 2 infection. I went through the steps for another person but still have a few minor problems. Not being incredibly computer savvy, I'm reluctant to delete things.

Please help!

Logfile of HijackThis v1.99.1
Scan saved at 2:50:18 PM, on 7/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\QUICKENW\QWDLLS.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ALERTSPY\ALERTSPY.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://neword.com/adw.html?s
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://neword.com/adw.html?s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://neword.com/adw.html?s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bresnan OnLine
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BE109F81-FF4F-11D9-BD97-00009E21F71D} - C:\WINDOWS\SYSTEM\MAJF.DLL
O2 - BHO: (no name) - {3D6317EB-97C9-BD41-282B-74C668478EC7} - C:\WINDOWS\SYSTEM\YHW6Z2VB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [FileFreedom_Plugin] C:\PROGRAM FILES\FILEFREEDOM\wtm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SCUpdate] "C:\PROGRAM FILES\BRESNAN\MIGCFG\PROGRAMS\AutoUpdate.exe"
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Quicken Startup.lnk = C:\Quickenw\QWDLLS.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Billminder.lnk = C:\Quickenw\BILLMIND.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Filter: text/html - {F77AA9E1-00DB-11DA-BD97-0000B96FE6FE} - C:\WINDOWS\SYSTEM\MAJF.DLL
O18 - Filter: text/plain - {F77AA9E1-00DB-11DA-BD97-0000B96FE6FE} - C:\WINDOWS\SYSTEM\MAJF.DLL

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:50 AM

Posted 30 July 2005 - 09:46 PM

Hello hiwksi,

You have several infections on your computer. Let begin removing them.

************************************


Download CWShredder at the link below: (don't run it yet)
http://cwshredder.net/bin/CWShredder.exe

Download 'SpSeHjfix'. >>> http://www.derbilk.de/SpSeHjfix109.zip (don't run it yet)

************************************

Clean out temporary and Temporary Internet files.
Go to Start > Run and type in the box: cleanmgr.
Let it scan your system for files to remove.
Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


************************************

Make sure you know how to boot into - SafeMode
http://www.computerhope.com/issues/chsafe.htm#02

Reboot into safe mode.

Disconnect from the net and Close ALL OPEN PROGRAMS.

Run 'SpSeHjfix'. and click on "Start Disinfection".

When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.
Save the log.

Now run the CWShredder - Hit The FIX button!

Reboot and repeat entire the process above.

************************************


Reboot and post a fresh Hijackthis log and the log that was created by 'SpSeHjfix'.

Edited by SifuMike, 30 July 2005 - 09:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hiwksi

hiwksi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 30 July 2005 - 10:41 PM

Hi Mike -
Here are the new log files. Let me know.

Logfile of HijackThis v1.99.1
Scan saved at 9:37:49 PM, on 7/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\QUICKENW\QAGENT.EXE
C:\QUICKENW\QWDLLS.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://grandjunction.bresnanonline.net/community
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bresnan OnLine
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [FileFreedom_Plugin] C:\PROGRAM FILES\FILEFREEDOM\wtm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SCUpdate] "C:\PROGRAM FILES\BRESNAN\MIGCFG\PROGRAMS\AutoUpdate.exe"
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Quicken Startup.lnk = C:\Quickenw\QWDLLS.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Billminder.lnk = C:\Quickenw\BILLMIND.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab


(7/30/05 9:02:13 PM) SPSeHjFix started v1.09
(7/30/05 9:02:13 PM) OS: Win98SE A (4.10.67766446)
(7/30/05 9:02:13 PM) Language: english
(7/30/05 9:02:17 PM) Disinfect started
(7/30/05 9:02:17 PM) Bad-Dll(IEP): (not found)
(7/30/05 9:02:17 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 9:02:17 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\MAJF.DLL
(7/30/05 9:02:18 PM) Searchassistant Uninstaller - Keys Deleted
(7/30/05 9:02:18 PM) UBF: 6
(7/30/05 9:02:18 PM) UBB: 2
(7/30/05 9:02:18 PM) FilterKey: HKCR\text/html (deleted)
(7/30/05 9:02:18 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/30/05 9:02:18 PM) FilterKey: HKCR\CLSID\{47CE00C6-0108-11DA-BD97-00009648E3F9} (deleted)
(7/30/05 9:02:18 PM) FilterKey: HKCR\text/plain (deleted)
(7/30/05 9:02:18 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/30/05 9:02:18 PM) FilterKey: HKCR\CLSID\{47CE00C6-0108-11DA-BD97-00009648E3F9} (error while deleting)
(7/30/05 9:02:18 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47CE00C7-0108-11DA-BD97-0000F9044662} (deleted)
(7/30/05 9:02:18 PM) BHO-Key: HKCR\CLSID\{47CE00C7-0108-11DA-BD97-0000F9044662} (deleted)
(7/30/05 9:02:18 PM) UBR: 20
(7/30/05 9:02:18 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(7/30/05 9:02:18 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/30/05 9:02:18 PM) Stealth-String not found:
(7/30/05 9:02:18 PM) File added to delete: c:\windows\system\majf.dll
(7/30/05 9:02:18 PM) File added to delete: c:\windows\system\majf.dll
(7/30/05 9:02:18 PM) File added to delete: c:\windows\temp\se.dll
(7/30/05 9:02:18 PM) Reboot
(7/30/05 9:15:04 PM) SPSeHjFix 2nd Step
(7/30/05 9:15:04 PM) RunServicesOnce-Key: (edited)
(7/30/05 9:15:05 PM) Cleaned


(7/30/05 9:15:23 PM) SPSeHjFix started v1.09
(7/30/05 9:15:23 PM) OS: Win98SE A (4.10.67766446)
(7/30/05 9:15:23 PM) Language: english
(7/30/05 9:15:28 PM) Disinfect started
(7/30/05 9:15:28 PM) Bad-Dll(IEP): (not found)
(7/30/05 9:15:28 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 9:15:28 PM) UBF: 4
(7/30/05 9:15:28 PM) UBB: 1
(7/30/05 9:15:28 PM) UBR: 20
(7/30/05 9:15:28 PM) Bad IE-pages:
(7/30/05 9:15:28 PM) Stealth-String not found:
(7/30/05 9:15:28 PM) Not infected->END


(7/30/05 9:16:21 PM) SPSeHjFix started v1.09
(7/30/05 9:16:21 PM) OS: Win98SE A (4.10.67766446)
(7/30/05 9:16:21 PM) Language: english
(7/30/05 9:16:23 PM) Disinfect started
(7/30/05 9:16:23 PM) Bad-Dll(IEP): (not found)
(7/30/05 9:16:23 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 9:16:23 PM) UBF: 4
(7/30/05 9:16:23 PM) UBB: 1
(7/30/05 9:16:23 PM) UBR: 20
(7/30/05 9:16:23 PM) Bad IE-pages:
(7/30/05 9:16:23 PM) Stealth-String not found:
(7/30/05 9:16:23 PM) Not infected->END


(7/30/05 9:23:46 PM) SPSeHjFix started v1.09
(7/30/05 9:23:46 PM) OS: Win98SE A (4.10.67766446)
(7/30/05 9:23:46 PM) Language: english
(7/30/05 9:23:48 PM) Disinfect started
(7/30/05 9:23:48 PM) Bad-Dll(IEP): (not found)
(7/30/05 9:23:48 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 9:23:48 PM) UBF: 4
(7/30/05 9:23:48 PM) UBB: 1
(7/30/05 9:23:48 PM) UBR: 20
(7/30/05 9:23:48 PM) Bad IE-pages:
(7/30/05 9:23:49 PM) Stealth-String not found:
(7/30/05 9:23:49 PM) Not infected->END


(7/30/05 9:25:58 PM) SPSeHjFix started v1.09
(7/30/05 9:25:58 PM) OS: Win98SE A (4.10.67766446)
(7/30/05 9:25:58 PM) Language: english
(7/30/05 9:26:27 PM) Disinfect started
(7/30/05 9:26:27 PM) Bad-Dll(IEP): (not found)
(7/30/05 9:26:27 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 9:26:27 PM) UBF: 4
(7/30/05 9:26:27 PM) UBB: 1
(7/30/05 9:26:27 PM) UBR: 19
(7/30/05 9:26:27 PM) Bad IE-pages:
(7/30/05 9:26:27 PM) Stealth-String not found:
(7/30/05 9:26:27 PM) Not infected->END

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:50 AM

Posted 30 July 2005 - 11:22 PM

Hi hiwksi,
You have a suspicious file we need to check.

Go to Jotti's malware scan copy and paste C:\PROGRAM FILES\BRESNAN\MIGCFG\PROGRAMS\AutoUpdate.exe to the upload and scan it.

Let me know the results.

Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 hiwksi

hiwksi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 30 July 2005 - 11:41 PM

Mike-

This is what came up after the scan.

Service load: 0% 100%

File: AutoUpdate.exe_
Status: OK
MD5 93da80159d29d0bc3ac20302051728a8
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


I just copied and pasted the file path out of your email into the "upload & scan" box then copied and pasted the info that came up below it. Looks okay doesn't it?

Debbie

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:50 AM

Posted 30 July 2005 - 11:44 PM

Hi Debbie,

I just copied and pasted the file path out of your email into the "upload & scan" box then copied and pasted the info that came up below it. Looks okay doesn't it?



It looks fine! :thumbsup: Just had to check it before we do the fixing.

Make sure you know how to boot into - SafeMode
http://www.computerhope.com/issues/chsafe.htm#02


Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing


*******************************************


Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

*******************************************


Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 hiwksi

hiwksi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 31 July 2005 - 12:12 AM

:thumbsup: All done!

It's running better than it has in a long time. How does the logfile look?

So what's the best virus/malware software out there these days? I took mcafee off because it really slowed my computer down - but as well as it seems to be working now that might not be a problem anymore.

What's the best way to maintain things? I am starting online classes in a couple weeks and need to keep things working.



THANK YOU THANK YOU THANK YOU!!!!!

Debbie

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:50 AM

Posted 31 July 2005 - 12:17 AM

Hi Debbie,

That good to hear.

It's running better than it has in a long time. How does the logfile look?

I dont know, I think you forgot to post it. :thumbsup:
But I really need to see the HJT log file to make sure everything is gone.

Then I will tell you malware preventive steps.

So what's the best virus/malware software out there these days? I took mcafee off because it really slowed my computer down - but as well as it seems to be working now that might not be a problem anymore


There is no "best" antivirus. McAfee is good, so if you paid for it reinstall it.
If you are browsing the Internet without a antivirus you can be reinfected in minutes. If you do not like McAfee then AVG antivirus is a good free antivirus http://free.grisoft.com/doc/1

Edited by SifuMike, 31 July 2005 - 12:30 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 hiwksi

hiwksi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 31 July 2005 - 12:20 AM

In my excitement and awe I forgot ot paste it in

Logfile of HijackThis v1.99.1
Scan saved at 11:04:10 PM, on 7/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\QUICKENW\QAGENT.EXE
C:\QUICKENW\QWDLLS.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://grandjunction.bresnanonline.net/community
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bresnan OnLine
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [FileFreedom_Plugin] C:\PROGRAM FILES\FILEFREEDOM\wtm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SCUpdate] "C:\PROGRAM FILES\BRESNAN\MIGCFG\PROGRAMS\AutoUpdate.exe"
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Quicken Startup.lnk = C:\Quickenw\QWDLLS.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Billminder.lnk = C:\Quickenw\BILLMIND.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

Sorry!

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:50 AM

Posted 31 July 2005 - 12:30 AM

Hi Debbie,

The log looks clean! :thumbsup: Good job on the cleanup!

Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again.

It seems that you don't use an anti-virus scanner or your scanner is not active.
Only an anti-virus scanner can protect you against new viruses.
I recommend you download the free AVG antivirus or reinstall your McAfee Antivirus.

You should have a software firewall, as that is your first line of defense against malware.

Here are 3 free ones available for personal use. I personally use Sygate firewall:

Sygate Personal Firewall

Understanding and Using Firewalls

Kerio Personal Firewall

ZoneAlarm

Edited by SifuMike, 31 July 2005 - 12:32 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 hiwksi

hiwksi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 31 July 2005 - 08:02 AM

Mike you rock! :thumbsup:

Thanks so much. We were about to trash this computer and buy a new one.

I haven't been using McAfee even though it was installed because it slows the computer down so much. I learned my lesson and I'll see if I can get some other junk off here instead of McAfee!

I'll also get the firewall thing figured out.

Thanks again and have a great day.

Debbie :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users