Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With This Hijack This Log


  • Please log in to reply
9 replies to this topic

#1 Nuitaran

Nuitaran

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 02 November 2005 - 08:41 PM

My GF sent her laptop off to be "fixed" by some supposed PC guru. When it came back, it had Windows ME (WIndows Virus) installed and he had removed all of my spyware protection claiming that the programs I use are bogus. I found this funny considering that my system has run Spyware and Virus free for years. At any rate, low and behold, not a few weeks has passed, and she now has spyware embedded so deeply that my programs can't get it out. So here is the HJ Log, maybe you nice folks here can help me figure this out.

Logfile of HijackThis v1.99.1
Scan saved at 8:32:47 PM, on 11/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {7DB41198-E91C-381C-C2ED-D46A2E2D7897} - C:\WINDOWS\SYSTEM\NTOD32.DLL (file missing)
O2 - BHO: Class - {07C0B5BB-649E-8853-BC0D-D77DA5430D5F} - C:\WINDOWS\IEBJ32.DLL (file missing)
O2 - BHO: Class - {6F9B4B7B-3DF9-DBFD-32CB-C97C202BF5F0} - C:\WINDOWS\NETTB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [Motorola Wireless Configuration Utility] C:\WINDOWS\SYSTEM\BCMWLTRY
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [JAVAVY.EXE] C:\WINDOWS\SYSTEM\JAVAVY.EXE /s
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE" "+b1"
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 PM

Posted 03 November 2005 - 02:51 AM

Hi and Welcome to bleeping computer!! Posted Image

To track this topic, and recieve email updates when i reply:
  • Please subscribe to the thread by looking at the top and clicking "track this topic".
  • Visit the "My Control Panel" and enable email notification
  • Don't start a new topic - keep replies within here
My name is David Posted Image

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.

There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! :thumbsup:

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful") Posted Image
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Post a new HJT log and the ewido log at the end! :flowers:
David

#3 Nuitaran

Nuitaran
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 03 November 2005 - 08:23 PM

First problem, ewido requires windows 2k to install and she is running Win ME. Can we get id of this stuff without it?

Edited by Nuitaran, 03 November 2005 - 08:24 PM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 PM

Posted 04 November 2005 - 01:22 PM

Yes of course we can! :thumbsup:

Please download Spybot - Search and Destroy
  • (If Spybot - S&D 1.4 is already installed on your system, skip to Update Spybot - S&D before using it.)
  • When you have down-loaded the program, double-click on it to start the installation. Follow the default selections, pressing the Next button until you get to the Select Additional Tasks screen.
  • Under Permanent protection, make sure to uncheck the following items for now:
    • Use Internet Explorer Protection
      Use system settings Protection (TeaTimer)
  • Press the Next button and then the Install button.
  • When the installation process is complete, make sure that Run Teatimer is unchecked.

Launch Spybot - S&D
  • If you told Spybot to launch when it was done installing, the program should now be open. Otherwise, find the icon on your Desktop and double-click on it.
  • When you use Spybot - S&D for the first time, it will prompt you for certain tasks to complete. Skip all tasks for now by pressing the Next button.
  • Click on the button labelled Start using this program to begin using Spybot - Search & Destroy.

Update Spybot - S&D before using it
  • Click on the Search for Updates button. If there are available updates, they will be listed.
  • Check/tick the boxes beside each update.
  • Click on the Download Updates button and Spybot - S&D will download the updates and install them.
  • Close the program.

Run Spybot - S&D
  • Click on the Check for Problems button.
  • When Spybot has finished running, it may be showing RED entries, BLACK entries and GREEN entries in the window.
  • Make sure that there is a check-mark beside all of the RED entries ONLY.
  • Choose Fix Selected Problems and allow Spybot to fix the RED entries.
  • If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this.
  • At this point you will be presented with the list of found entries again, but now there will be large green check-marks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next re-boot of Windows.
  • The next time you start Windows, Spybot will run automatically and fix anything that it could not fix previously.

Then post new HJT log
David :flowers:

#5 Nuitaran

Nuitaran
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 05 November 2005 - 09:11 PM

I've already attmeted to clean with both S&D and Adaware SE, both can either not find, or can not remove a couple of items. SE is unable to remove them, and tells me so. S&D thinks theya re removed, then finds them on the next scan. I will run them again, and post the HJT log anyway just in case.

Edited by Nuitaran, 05 November 2005 - 09:12 PM.


#6 Nuitaran

Nuitaran
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 05 November 2005 - 09:43 PM

Spybot S&D found nothing in the scan, and here is the latest HJT log just in case anything has changed:

Logfile of HijackThis v1.99.1
Scan saved at 9:39:04 PM, on 11/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {7DB41198-E91C-381C-C2ED-D46A2E2D7897} -
C:\WINDOWS\SYSTEM\NTOD32.DLL (file missing)
O2 - BHO: Class - {07C0B5BB-649E-8853-BC0D-D77DA5430D5F} -
C:\WINDOWS\IEBJ32.DLL (file missing)
O2 - BHO: Class - {6F9B4B7B-3DF9-DBFD-32CB-C97C202BF5F0} -
C:\WINDOWS\NETTB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [Motorola Wireless Configuration Utility]
C:\WINDOWS\SYSTEM\BCMWLTRY
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [JAVAVY.EXE] C:\WINDOWS\SYSTEM\JAVAVY.EXE /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM
FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
- C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM
FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMesse...pDownloader.cab

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 PM

Posted 06 November 2005 - 06:06 AM

Before we continue:

You are currently using HijackThis from a temporary directory, this can cause problems.
  • Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.
  • Download HijackThis to the new folder:
  • Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.
  • Close ALL windows except HJT
  • SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  • Post the log in this thread using 'Add Reply' (Ctrl-V to 'paste')
David

#8 Nuitaran

Nuitaran
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 06 November 2005 - 09:38 PM

Yeah, I missed that. I was walking my Fiancee through it over the phone and didn't realise she opened that one. I'm going to hold off and continue when I have access to her computer again this weekend. Sorry about that. *blush*

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 PM

Posted 07 November 2005 - 01:24 PM

That's fine! :thumbsup:

:flowers:

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:50 PM

Posted 13 November 2005 - 04:51 PM

Hi there :thumbsup:

Whilst we appreciate you may be busy, we haven't heard from you for a while. You haven't answered the reply i have posted.

This message is just a bump, to remind you that i am helping you - if no answer is given in a few more days, the topic will be closed.

Thanks very much for understanding

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users