Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - anthonykirby


  • This topic is locked This topic is locked
4 replies to this topic

#1 anthonykirby

anthonykirby

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 06 November 2005 - 09:23 PM

Good Afternoon All,

I have been getting some very annoying sites which open automatically when I am browsing the web.

I have used Spybot, AVG and PopUp Stopper to try to stop this and get rid of the corrupt files but to no avail.

I have posted a log file of HJT below incase anybody can talk me through the fix for this.

The pop ups are from casino to weather - and is adding a lot of links in favourites such as free xxx and nude girls etc.

Cheers in advance

Anthony
-----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:21:47 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot\SpybotSD.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{228E084B-39DF-4806-B3C1-AC98879C1656}: NameServer = 85.255.114.8 85.255.112.11
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\j4n2le5o1h.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Edited by anthonykirby, 06 November 2005 - 09:29 PM.


BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 07 November 2005 - 11:17 AM

Hi, Anthony,

Please print these instructions and read them over before beginning.
I see a couple of problems in your log.
Let's see if we can get one cleaned up first. Then we will tackle the other.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove to remove any items found.

Exit Spy Sweeper.
Reboot.

Now for the other problem:
You will need to refer to your printed instructions, since you will have to restart your computer during this next fix. Please make sure you have an ACTIVE internet connection as the tool will need to download additional files and a program.

Please download FixWareout from here:
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is NORMAL.
When your system reboots, follow the prompts. Afterwards, HijackThis will
launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{228E084B-39DF-4806-B3C1-AC98879C1656}: NameServer = 85.255.114.8 85.255.112.11

These two only if you did not set them, or if you did not have Spybot set them.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Click Fix Checked. Close HijackThis, and click OK to proceed.
At the end of the fix, you may need to restart your computer again.

If you should have any connection problems following this fix, this is how to correct them:

Please go to Start -> Control Panel, and choose Network Connections.
Then right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Click OK twice, and restart your computer.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 anthonykirby

anthonykirby
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 08 November 2005 - 06:29 AM

Bugbatter,

Here is the contents of the fixwareout and HJT log as requested.

Cheers for the help!

Anthony

Fixwareout ver 1.003
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool



Logfile of HijackThis v1.99.1
Scan saved at 9:22:45 PM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe





Hi, Anthony,

Please print these instructions and read them over before beginning.
I see a couple of problems in your log.
Let's see if we can get one cleaned up first. Then we will tackle the other.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove to remove any items found.

Exit Spy Sweeper.
Reboot.

Now for the other problem:
You will need to refer to your printed instructions, since you will have to restart your computer during this next fix. Please make sure you have an ACTIVE internet connection as the tool will need to download additional files and a program.

Please download FixWareout from here:
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is NORMAL.
When your system reboots, follow the prompts. Afterwards, HijackThis will
launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{228E084B-39DF-4806-B3C1-AC98879C1656}: NameServer = 85.255.114.8 85.255.112.11

These two only if you did not set them, or if you did not have Spybot set them.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Click Fix Checked. Close HijackThis, and click OK to proceed.
At the end of the fix, you may need to restart your computer again.

If you should have any connection problems following this fix, this is how to correct them:

Please go to Start -> Control Panel, and choose Network Connections.
Then right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Click OK twice, and restart your computer.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.



#4 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 08 November 2005 - 12:25 PM

Again please print these instructions, so you can refer to them easily.

I suggest that you move HijackThis out of My Documents to a folder of its own where it can save its backups. Otherwise, the Backups folder will be in with the rest of your documents.
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder. Put your HijackThis.exe there. Do not scan now. We will do that later.

Please download CCleaner and install it. Do not run it. We will do that later.
It can be downloaded from one of the following locations:
http://www.ccleaner.com/
http://www.filehippo.com/download_ccleaner.html

Next, download ewido security suite:

1. After the download is complete, double click on the file to launch the install process.
2. During installation under the Additonal Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
3. Once installation is complete, launch Ewido by double-clicking the big "E" icon on your desktop. The program will prompt you to update -- click the 'OK' button.
4. The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
5. Close Ewido.

Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

When your computer is booted into Safe Mode, then continue.

Now Click Start>> Run>> Type in Services.msc and Click OK!

Scroll that list and locate

Command Service (cmdService)
(If you cannot find it, just proceed with the next steps using Hijackthis.)

Right Click that entry and Select "Properties">> Click "Stop">> Go up and Change the "Startup Type" to "Disabled"

* Click the 'Apply' tab, then click 'OK'

Open HijackThis>Config>Misc Tools>Delete an NT Service
*now copy/paste the following entry in the box and click OK:

CmdService

Please scan with Hijackthis and tick this if it still exists:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)

Close all windows except HijackThis and click "Fix Checked".

Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Delete the specified folder IF it still exists:
C:\WINDOWS\T3duZXIA <-- Folder

Open CCleaner.

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.

Then open it and select the items you wish to clean up.

In the Windows Tab:

I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Then click the "Run Cleaner" button.
When it is finished cleaning REBOOT into Safemode again.

*Click on Ewido>scanner
Then select "Settings"
Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
Select "OK" and you will return to scanning options.
*Click on Complete System Scan and the scan will begin.

This scan can take quite a while to run, so please be patient .
While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose Clean. Then put a check next to 'Perform action on all infections' . Doing this, enables the scan to proceed automatically until its completion. Click OK

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. The best place to save it would probably be your Desktop.
Now close ewido security suite.
Reboot normally.

Go back and rehide files/folders:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Check: Hide protected operating system files
Click on Apply.

Please copy and paste the results from the Ewido scan back along with a fresh HijackThis log to this topic for review. Thanks!

*Notes: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button

When you reply just click "Add Reply". There is no need to quote the previous post with your reply.

Edited by Bugbatter, 08 November 2005 - 12:26 PM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#5 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 26 November 2005 - 09:20 PM

Due to inactivity, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users