Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hijack This Log - Please Help If You Can

  • Please log in to reply
3 replies to this topic

#1 sgoodreds


  • Members
  • 2 posts
  • Local time:08:13 AM

Posted 15 October 2006 - 12:34 PM

My daughter's computer is quite infected. I ran McAfee and there are 601 files that cannot be deleted/quaranteened/cleaned. I ran Adaware, Spinrite, Spybot and TrojanHunter. TrojanHunter found two trojans and deleted them, but they were not included in the 601 unrepairable McAfee files. Posted below is from Hijack This. Can anyone help me, please???

Please feel free to email me .
Thank you!

//Mod edit: To remove email address to protect from spamming.
If you want to receive emails, please include that in your profile.//

Logfile of HijackThis v1.99.1
Scan saved at 1:26:36 PM, on 10/15/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcafee.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us2.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us2.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Servi...omeLeftPane.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {DBFA9789-576C-08C8-1C57-5AF07ECE61C6} - C:\WINDOWS\SYSTEM\XLXDN.DLL (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL (file missing)
O2 - BHO: (no name) - {19B26B92-F973-A7D4-0696-F64A35DEA492} - C:\WINDOWS\SYSTEM\RKEQPPZ.DLL (file missing)
O2 - BHO: (no name) - {DBFA9789-576C-08C8-1C57-5AF07ECE61C6} - C:\WINDOWS\SYSTEM\XLXDN.DLL (file missing)
O2 - BHO: TVEngine Helper /fleok=1D8A83A5C2E6107D98AE75760EA83FA5EF80752B94E3D7765879412E3CCF - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\SBTV\SBTVHELPER.DLL (file missing)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL (file missing)
O3 - Toolbar: (no name) - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm594YYUS
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O21 - SSODL: WjmBacTuAX - {182811D5-B282-BB7F-50D0-4ABA55AA0BBC} - C:\WINDOWS\SYSTEM\WPQP.DLL (file missing)
O21 - SSODL: CD-DVD Device - {1C3B31AE-FD16-D2CE-43FF-DC4CD5C1BC5E} - C:\WINDOWS\SYSTEM\dvdcap.dll

Edited by KoanYorel, 15 October 2006 - 12:38 PM.

BC AdBot (Login to Remove)


#2 DaveM59


    Bleepin' Grandpa

  • Members
  • 1,355 posts
  • Gender:Male
  • Location:TN USA
  • Local time:06:13 AM

Posted 17 October 2006 - 05:27 AM

Hi Sgoodreds,

Welcome to Bleeping Computer. :thumbsup:

I will be helping you, under the supervision of one of our expert coaches.

Please give me a little time to analyze your log and post back with instructions.

Thanks for your patience --


#3 DaveM59


    Bleepin' Grandpa

  • Members
  • 1,355 posts
  • Gender:Male
  • Location:TN USA
  • Local time:06:13 AM

Posted 18 October 2006 - 06:56 PM

Hi again Sgoodreds,

Before we begin cleaning your computer we need to take care of a few preliminary matters.

First, you are running an outdated version of Internet Explorer. Older versions of IE are unsafe. Please go to this web page to upgrade to Internet Explorer 6, SP1.

Next, make sure that your operating system is fully updated. Microsoft ended active support and new security updates for Windows ME in July, but updates to that point are still available and will patch many security holes. If auto update is not turned on on this computer, click Start, then Windows Update, and follow the prompts to go to the Windows Update website. Install all critical updates.

Finally, you are running HijackThis from a temporary folder. Please install a copy in its own folder, as follows:First, delete the HijackThis .zip file currently on your computer.

Then, download the self-extracting installation file here. Save it to your desktop.

Next, double-click the HijackThis_SFX.exe file icon. A window will open. Accept the default installation folder by clicking Unzip on the right side of the window.

Navigate to the program by double clicking My Computer, C:, Program Files. Find the HijackThis folder and double-click it to open.

If you would like to make a shortcut for your Desktop so it's more easily accessible, right click the HijackThis icon (it looks like a detonator with some dynamite sticks) and choose Send To > Desktop (create shortcut) .
Now we are ready to start cleaning your computer.

Please print out a copy of these instructions, or save them in Notepad. Some steps will be done in safe mode, with no internet access available.

Step 1. Getting set

Begin by downloading Smitrem.exe to your desktop. Double click the icon and accept the default installation path by clicking Start. This will create a smitRem folder on your desktop.

Next, since you already have Ad-Aware, update the definitions.

Finally, Trojan Hunter is a fine program, but its real-time guard feature may interfere with our cleaning process. On the right side of your taskbar, right-click the Trojan Hunter icon, and select Unload. This will diable the guard feature. Be sure to re-enable it when your computer is clean.

Step 2. Unhide files and folders

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files. If you get a warning, click Yes.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Step 3. Boot into Safe Mode
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
  • When you have the menu on the screen. Use the arrow keys to move to the line that says Safe Mode.
  • Then press <Enter> on your keyboard to boot into Safe Mode.
Step 4. Run smitRemDouble click the smitRem folder on your desktop to open it.
Double click the program file Runthis.bat. A black command prompt screen will open. Read the message and press 1.
Read the next screen and press 1 again.
The next screen will ask you to close all open windows, including the smitRem folder. Do so, then press 1 again.
Next you will be presented with a series of information screens, each with a prompt at the bottom to Press any key. After reading each screen, do so.
The last of these screens will warn you that your desktop background will be changed to a plain blue. This can be reset after you are clean. Press 1 to start the removal step.
The desktop will disappear; this is normal. Depending on your infection one or more uninstall programs may open; let them run. If any of the spyware programs targeted (such as Spywarequake) opens during this time, just close it.
Eventually you will see a message in the command window saying that smitRem is finished. Press any key to continue. The program will delete some temporary files and folders and then close. The desktop will reappear, minus your wallpaper as promised.
smitRem saves a copy of its log as C:\smitfiles.txt. You will need to copy and paste that file into your next reply.
Step 5. Run Ad-Aware

Open Ad-Aware. Click the Scan button and then select the radio button Full System Scan. When the scan is finished, click on Show logfile. When the logfile opens, right-click on a blank area and select copy to clipboard. Open Notepad, and select Edit, Paste to paste the contents of the logfile into it. Name the file and save it to your desktop. Then click Finish and let Ad-Aware fix (quarantine) everything it has found.

Step 6. Fresh HijackThis scan, and get back to me

Reboot the computer into normal mode. This should happen automatically.

Open HijackThis and run a fresh scan. Copy and paste that log, along with the smitRem and Ad-Aware logs, to a reply here.

Good luck --


#4 DaveM59


    Bleepin' Grandpa

  • Members
  • 1,355 posts
  • Gender:Male
  • Location:TN USA
  • Local time:06:13 AM

Posted 23 October 2006 - 01:58 PM

Hi Sgoodreds,

Are you still there?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users